Re: F28 System Wide Change: Rename "nobody" user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fr, 12.01.18 10:41, Steve Dickson (SteveD@xxxxxxxxxx) wrote:

> >>> It's not systemd that came up with reusing 65534 for user
> >>> namespacing. It's kernel people:
> >>>
> >>>         $ cat /proc/sys/kernel/overflowuid 
> >>>         65534
> >> How was that number chosen and why can't be changed?
> > 
> > It's conceptually the same thing: it's where UIDs are mapped that
> > cannot be mapped properly otherwise.
>
> Right... I'm assuming this overflow almost never happens
> from looking at the code.

Nope, it happens *all* the time. Just look into /proc in a container
with user namespacing. You'll see that the majority of files there are
owned by 65534, as these files for security reasons are owned by the
root user of the host (and not the root user of the container), and
that user tends not to be mapped to the container, so that the
container cannot make changes to /proc.

If userns is used it's very hard to not see the UID 65534 popping up
all the time.

> So the problem trying to be solved is when the overflow uid/gid
> are used (which is rarely), the owner of the file become 
> nfsnobody which does not make any sense because it is on a local filesystem.
> 
> If this is the case, my I suggest that since the overflow uid/gid is 
> basically an arbitrary value and easily changeable... Why not 
> have some boot process echo '99' into /proc/sys/kernel/overflowuid 
> which would match nicely to a uid/gid of a user named 'nobody'? 

Well, uh, because nobody does that. Also: why? It's conceptually the
same thing.

And sorry to bring this to you, but I figure the users of userns
(through all its incarnations in Docker, flatpak, bubblewrap, nspawn,
LXC, …) are much more numerous than the ones of NFS, and the mindshare
is probably with them. 

You appear to suggest that changing the name of user 65534 would
create mapping problems for NFS that didn't exist before. But that's
bogus, as these mapping problems always existed pretty badly, since
the name "nfsnobody" is a Fedoraism/Redhatism, and other distros tend
to use nobody:nogroup or nobody:nobody for that user, and hence you
have to deal with the differences with the naming anyway already, in
all your code. I mean, NFS is not a Fedora/Red Hat-only thing, is it?
And it's definitely our intention to improve on this, and just give up
on this Fedoraism/Redhatism, and moving to something more generic.

Lennart

-- 
Lennart Poettering, Red Hat
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux