Steve Grubb <sgr...@redhat.com> writes:
> On Monday, June 26, 2023 2:47:01 PM EDT Peter Robinson wrote:
>> On Thu, Jun 22, 2023 at 5:15 PM Aoife Moloney <amolo...@redhat.com> wrote:
>> >
>> >
>> > https://fedoraproject.org/wiki/Changes/LibuserDeprecation
>> >
>> >
>> >
>> >
>> > This document represents a proposed Change. As part of the Changes
>> > process, proposals are publicly announced in order to receive
>> > community feedback. This proposal will only be implemented if approved
>> > by the Fedora Engineering Steering Committee.
>> >
>> >
>> >
>> >
>> > == Summary ==
>> >
>> >
>> >
>> > Libuser is not actively developed. Most of the depending component
>> > have build-time option to work without libuser.
>> >
>> >
>> >
>> > == Owner ==
>> >
>> >
>> >
>> > * Name: [[User:THalman| Tomas Halman]]
>> >
>> >
>> >
>> > * Email: <thal...@redhat.com>
>> >
>> >
>> >
>> >
>> > == Detailed Description ==
>> >
>> >
>> >
>> > The libuser provides library and command line utilities to manipulate
>> > user and group information. The purpose of the library
>> > is/was to hide the differences between users in LDAP and files in etc
>> > (passwd, groups...). The support for LDAP
>> > is not complete and there is no plan to extend the functionality.
>> >
>> >
>> >
>> > The LDAP integration in Fedora is nowadays done by SSSD.
>> >
>> >
>> >
>> > In the past, the libuser was used by more component including Fedora
>> > installer. Currently the list is short
>> >
>> >
>> >
>> > * usermode (Requires development, it is not complicated but the
>> > dependency is unconditional)
>> > * util-linux (compile time option)
>> > * passwd (I suggest to ship passwd utility from shadow-utils instead
>> > of passwd and drop passwd package as well)
>>
>>
>> Has the maintainer of the passwd utility been engaged about this
>> suggestion? Is there a difference in functionality between the two
>> variants of passwd?
>
> Yes, there is at least one difference that I know of. The one from passwd is
> SELinux aware. I think that the threat it is defending against is root being
> a shared account. You can have web admin, db admin, security officer, and
> other roles. You do not want someone in one of these roles to be able to
> change the root password and take over / block other admins.
>
> If you run in the unconfined domain, then you would never know it's there.
> It's when you actually use roles that you bump into this.
Both passwd [1] and shadow-utils passwd [2] use "passwd"
permission to check whether a root user is allowed to change passwords.
In this part the behavior (but output) should not change when
/usr/bin/passwd is replaced with the version from shadow-utils.
e.g. using passwd.shadow from shadow-utils and for "staff" user assigned to
"staff_u" SELinux user with uid 0 it looks like:
[root@fedora ~]# id
uid=0(root) gid=1003(staff) groups=1003(staff)
context=staff_u:staff_r:staff_t:s0-s0:c0.c1023
[root@fedora ~]# passwd
passwd: SELinux denying access due to security policy.
[root@fedora ~]# passwd.shadow
passwd.shadow: root is not authorized by SELinux to change the password of
root
[1] https://pagure.io/passwd/blob/master/f/selinux_utils.c#_83
[2] https://github.com/shadow-maint/shadow/blob/master/src/passwd.c#L979
Petr
>
> -Steve
>
>
>> > == Feedback ==
>> >
>> >
>> >
>> >
>> > == Benefit to Fedora ==
>> >
>> >
>> >
>> > The main benefit is to decrease the maintenance and packaging work on
>> > library that does not bring much value while the functionality is
>> > provided by another components.
>> >
>> >
>> >
>> > == Scope ==
>> > * Proposal owners: Dropping the package, move it to EPEL eventually
>> >
>> >
>> >
>> >
>> > * Other developers:
>> >
>> >
>> >
>> > ** Update usermode code to make libuser dependency configurable.
>> > ** Update usermode packaging to compile it without libuser
>> > ** Change packaging of util-linux to compile without libuser dependency
>> > ** Change packaging of shadow-utils to provide passwd utility
>> >
>> >
>> >
>> >
>> > * Release engineering: [https://pagure.io/releng/issue/11492]
>> >
>> >
>> >
>> > Libuser is part of base image and must be removed. IMO mass rebuild is
>> > not required.
>> >
>> >
>> >
>> >
>> > * Policies and guidelines: Since this is about dropping packages
>> > release notes must be updated.
>> >
>> >
>> >
>> >
>> > * Trademark approval: N/A (not needed for this Change)
>> >
>> >
>> >
>> > * Alignment with Community Initiatives: N/A
>> >
>> >
>> >
>> >
>> > == Upgrade/compatibility impact ==
>> >
>> >
>> >
>> > People who used libuser to manipulate users in LDAP will have to move to
>> > SSSD.
>>
>> >
>> >
>> > == How To Test ==
>> >
>> >
>> >
>> > 0. no special hardware needed
>> > 1. remove libuser, passwd, install new shadow-utils, usermod and
>> > util-linux
> 2. try to change password of some user
>> > 3. try to modify user using usermod
>> > 4. expected results: everything works normally
>> >
>> >
>> >
>> > == User Experience ==
>> > This change should not be visible for users.
>> >
>> >
>> >
>> >
>> >
>> > == Dependencies ==
>> >
>> >
>> >
>> >
>> > * usermod (code modification, packaging to drop libuser dependency)
>> > * shadow-utils (packaging to provide passwd utility
>> > * util-linux (packaging to drop libuser dependency)
>> > * passwd (drop package)
>> >
>> >
>> >
>> > == Contingency Plan ==
>> >
>> >
>> >
>> > * Contingency mechanism: Revert the shipped configuration
>> > * Contingency deadline: final development freeze
>> > * Blocks release? No
>> >
>> >
>> >
>> > == Documentation ==
>> >
>> >
>> >
>> > There is no extra documentation for this change except release notes.
>> >
>> >
>> >
>> > == Release Notes ==
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > --
>> > Aoife Moloney
>> >
>> >
>> >
>> > Product Owner
>> >
>> >
>> >
>> > Community Platform Engineering Team
>> >
>> >
>> >
>> > Red Hat EMEA
>> >
>> >
>> >
>> > Communications House
>> >
>> >
>> >
>> > Cork Road
>> >
>> >
>> >
>> > Waterford
>> > _______________________________________________
>> > devel mailing list -- devel@lists.fedoraproject.org
>> > To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>> > Fedora Code of Conduct:
>> > https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List
>> > Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List
>> > Archives:
>> > https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.
>> > org Do not reply to spam, report it:
>> > https://pagure.io/fedora-infrastructure/new_issue
>> _______________________________________________
>> devel mailing list -- devel@lists.fedoraproject.org
>> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List
>> Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List
>> Archives:
>> https://lists.fedoraproject.org/archives/list/de...@lists.fedoraproject.or
>> g Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>
>
>
> _______________________________________________
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
