On Wed, Jan 10, 2018 at 5:46 AM, Jan Kurik <jkurik@xxxxxxxxxx> wrote: > = System Wide Change: Rename "nobody" user = > https://fedoraproject.org/wiki/Changes/RenameNobodyUser > > Change owner(s): > *Zbigniew Jędrzejewski-Szmek <zbyszek AT in DOT waw DOT pl> > * Lennart Poettering <lpoetter AT redhat DOT com> > > Use "nobody:nobody" as the names for the kernel overflow UID:GID pair, > and retire the old "nfsnobody" name and the old "nobody:nogroup" pair > with 99:99 numbers > > > == Detailed Description == > Status quo: Fedora statically defines "nobody:nobody" pair with > uid:gid of 99:99 in setup.rpm, and "nfsnobody:nfsnobody" pair with > uid:gid of 65534:65534 in nfs-utils.rpm. > > This is problematic in a few different ways: > * 65534:65534 is used by the kernel as the overflow identifier, when > some UID cannot be represented in the current namespace. This applies > to both NFS, but probably more commonly nowadays to UIDs outside of > the current user namespace (e.g. when a file or process owned by a > user from outside of a container). Calling this "nfsnobody" is > misleading. > * the name for the overflow user is only defined when nfs-utils.rpm is > installed. In particular in containers people want to minimize the > number of packages installed, so nfs-utils is likely not to be > installed. > * the static nobody:nobody user/group pair was used for various > services for which weren't "worthy" of creating a dedicated user. This > is a severely misguided concept, because all processes of the nobody > user can ptrace and otherwise interact with each other. Separate users > for each service should be used instead, either normal allocated users > or systemd's DynamicUser's. > * other distributions use either nobody:nobody or nobody:nogroup for > the overflow uid:gid pair, and the different naming in Fedora is > confusing and can lead to incorrect use. > > We propose to: > * stop using nfsnobody for the overflow uid/gid names > * stop using nobody for the static user 99 and group 99 > * use the nobody:nobody pair of names for 65534:65534 > > On existing systems, to make upgrades easier: > * if nfsnobody was defined, keep it in /etc/passwd *after* the new > line for nobody:nobody, so that both the old name and the new name map > to the same numbers > * if nobody user or group with number 99 was defined, keep it in > /etc/passwd and /etc/group, but rename to _nobody > > The new mapping for nobody:nobody would be implemented in two redundant ways: > * as a static allocation in /etc/passwd and /etc/group managed by setup.rpm > * dynamically provided by the nss-systemd module (by compiling systemd > with -Dnobody-user=nobody -Dnobody-group=nobody). > Two questions: 1. Why nobody:nobody instead of nobody:nogroup? I've seen the latter in use in several distributions. * For note, we use this in Mageia: http://gitweb.mageia.org/software/setup/tree/group * Debian and Ubuntu also define it this way. 2. For existing systems, would renaming the nobody:nobody user to oldnobody:oldnobody work instead? The uid would be preserved, which should keep the mapping sane, and it would make it more obvious that it's old, rather than using weird underscores. In general, I support this change because the two nobody users made things confusing for me and many other people. Simplifying this would also harmonize things with everyone else, which helps for portability of things. :) -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx