Re: Towards enabling rpm sysusers integration

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 6/28/23 17:15, Lennart Poettering wrote:

On Di, 27.06.23 12:04, Panu Matilainen (pmatilai@xxxxxxxxxx) wrote:


On 6/22/23 19:55, Steve Grubb wrote:


https://fedoraproject.org/wiki/Changes/Adopting_sysusers.d_format


I would caution against this whole proposal. Not that I'm against it, but
just saying be careful doing it. People often forget about our security
concerns. Currently, shadow-utils has about 400 places which generate audit
events during the managing of system and user accounts. libuser (I saw the
deprecation email) has 55 places where it sends audit events managing
accounts.

There is a 10 year old (or more) standard published here:
https://github.com/linux-audit/audit-documentation/wiki/SPEC-User-Account-Lifecycle-Events

If %pre getent, useradd, and groupadd  are being replaced by something, that
something needs to conform to the expected security safeguards that currently
exist. It needs to match the kind of events and the format that currently
exists.


Looking at the systemd-sysusers source [1], it seems to do exactly zero
audit logging. So there's a bit of work to do on that front...


last time I looked auditd is started later than
systemd-sysusers. Hence not sure if sysusers would actually generate
audit messages that auditd could pick them up.
For the rpm integration, "started later" is irrelevant as the user/group creation takes place during rpm transactions. 


In general though: people who care about audit need to send us patches
for this, if this matters to them. I don't think anyone in systemd
upstream wil work on this on their own.


Didn't imply any particular party, just that there's work to do.
Both rpm and systemd would like to see systemd-sysusers used for user/group creation but audit requirement prevents that. Who should do the work? Guess there's a bit of a Mexican stand-off here :D
The rpm integration doesn't technically require systemd-sysusers, we can write a script that calls useradd/groupadd instead. So for us it becomes a choice between writing that script or adding audit support to systemd-sysusers. Writing a script based on sysusers.generate-pre.sh may well be less work and would benefit the non-systemd audiences of rpm at the same time. We'll see. 

	- Panu -
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux