Steve Grubb <sgrubb@xxxxxxxxxx> writes: > On Monday, June 26, 2023 2:47:01 PM EDT Peter Robinson wrote: >> On Thu, Jun 22, 2023 at 5:15 PM Aoife Moloney <amoloney@xxxxxxxxxx> wrote: >> > >> > >> > https://fedoraproject.org/wiki/Changes/LibuserDeprecation >> > >> > >> > >> > >> > This document represents a proposed Change. As part of the Changes >> > process, proposals are publicly announced in order to receive >> > community feedback. This proposal will only be implemented if approved >> > by the Fedora Engineering Steering Committee. >> > >> > >> > >> > >> > == Summary == >> > >> > >> > >> > Libuser is not actively developed. Most of the depending component >> > have build-time option to work without libuser. >> > >> > >> > >> > == Owner == >> > >> > >> > >> > * Name: [[User:THalman| Tomas Halman]] >> > >> > >> > >> > * Email: <thalman@xxxxxxxxxx> >> > >> > >> > >> > >> > == Detailed Description == >> > >> > >> > >> > The libuser provides library and command line utilities to manipulate >> > user and group information. The purpose of the library >> > is/was to hide the differences between users in LDAP and files in etc >> > (passwd, groups...). The support for LDAP >> > is not complete and there is no plan to extend the functionality. >> > >> > >> > >> > The LDAP integration in Fedora is nowadays done by SSSD. >> > >> > >> > >> > In the past, the libuser was used by more component including Fedora >> > installer. Currently the list is short >> > >> > >> > >> > * usermode (Requires development, it is not complicated but the >> > dependency is unconditional) >> > * util-linux (compile time option) >> > * passwd (I suggest to ship passwd utility from shadow-utils instead >> > of passwd and drop passwd package as well) >> >> >> Has the maintainer of the passwd utility been engaged about this >> suggestion? Is there a difference in functionality between the two >> variants of passwd? > > Yes, there is at least one difference that I know of. The one from passwd is > SELinux aware. I think that the threat it is defending against is root being > a shared account. You can have web admin, db admin, security officer, and > other roles. You do not want someone in one of these roles to be able to > change the root password and take over / block other admins. > > If you run in the unconfined domain, then you would never know it's there. > It's when you actually use roles that you bump into this. Both passwd [1] and shadow-utils passwd [2] use "passwd" permission to check whether a root user is allowed to change passwords. In this part the behavior (but output) should not change when /usr/bin/passwd is replaced with the version from shadow-utils. e.g. using passwd.shadow from shadow-utils and for "staff" user assigned to "staff_u" SELinux user with uid 0 it looks like: [root@fedora ~]# id uid=0(root) gid=1003(staff) groups=1003(staff) context=staff_u:staff_r:staff_t:s0-s0:c0.c1023 [root@fedora ~]# passwd passwd: SELinux denying access due to security policy. [root@fedora ~]# passwd.shadow passwd.shadow: root is not authorized by SELinux to change the password of root [1] https://pagure.io/passwd/blob/master/f/selinux_utils.c#_83 [2] https://github.com/shadow-maint/shadow/blob/master/src/passwd.c#L979 Petr > > -Steve > > >> > == Feedback == >> > >> > >> > >> > >> > == Benefit to Fedora == >> > >> > >> > >> > The main benefit is to decrease the maintenance and packaging work on >> > library that does not bring much value while the functionality is >> > provided by another components. >> > >> > >> > >> > == Scope == >> > * Proposal owners: Dropping the package, move it to EPEL eventually >> > >> > >> > >> > >> > * Other developers: >> > >> > >> > >> > ** Update usermode code to make libuser dependency configurable. >> > ** Update usermode packaging to compile it without libuser >> > ** Change packaging of util-linux to compile without libuser dependency >> > ** Change packaging of shadow-utils to provide passwd utility >> > >> > >> > >> > >> > * Release engineering: [https://pagure.io/releng/issue/11492] >> > >> > >> > >> > Libuser is part of base image and must be removed. IMO mass rebuild is >> > not required. >> > >> > >> > >> > >> > * Policies and guidelines: Since this is about dropping packages >> > release notes must be updated. >> > >> > >> > >> > >> > * Trademark approval: N/A (not needed for this Change) >> > >> > >> > >> > * Alignment with Community Initiatives: N/A >> > >> > >> > >> > >> > == Upgrade/compatibility impact == >> > >> > >> > >> > People who used libuser to manipulate users in LDAP will have to move to >> > SSSD. >> >> > >> > >> > == How To Test == >> > >> > >> > >> > 0. no special hardware needed >> > 1. remove libuser, passwd, install new shadow-utils, usermod and >> > util-linux > 2. try to change password of some user >> > 3. try to modify user using usermod >> > 4. expected results: everything works normally >> > >> > >> > >> > == User Experience == >> > This change should not be visible for users. >> > >> > >> > >> > >> > >> > == Dependencies == >> > >> > >> > >> > >> > * usermod (code modification, packaging to drop libuser dependency) >> > * shadow-utils (packaging to provide passwd utility >> > * util-linux (packaging to drop libuser dependency) >> > * passwd (drop package) >> > >> > >> > >> > == Contingency Plan == >> > >> > >> > >> > * Contingency mechanism: Revert the shipped configuration >> > * Contingency deadline: final development freeze >> > * Blocks release? No >> > >> > >> > >> > == Documentation == >> > >> > >> > >> > There is no extra documentation for this change except release notes. >> > >> > >> > >> > == Release Notes == >> > >> > >> > >> > >> > >> > >> > >> > -- >> > Aoife Moloney >> > >> > >> > >> > Product Owner >> > >> > >> > >> > Community Platform Engineering Team >> > >> > >> > >> > Red Hat EMEA >> > >> > >> > >> > Communications House >> > >> > >> > >> > Cork Road >> > >> > >> > >> > Waterford >> > _______________________________________________ >> > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx >> > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx >> > Fedora Code of Conduct: >> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List >> > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List >> > Archives: >> > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject. >> > org Do not reply to spam, report it: >> > https://pagure.io/fedora-infrastructure/new_issue >> _______________________________________________ >> devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx >> To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List >> Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List >> Archives: >> https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxx >> g Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue > > > > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx > Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
