Bug#685734: dpkg should manage system users and groups
On Fri, Aug 24, 2012 at 07:23:57AM +0200, Harald Dunkel wrote: > It would be very nice if dpkg could manage system users and groups > created for each package. > > At the moment I've got GID 105 for dbus on host A, while 105 is > used for saned on host B (just as an example). This is a severe > problem when A's root partition is visible somehow on B, e.g. > on a central backup server, or on an LXC server managing the > client rootfs in its own name space. > > I would like to tell dpkg to use GID 105 for the dbus package on > all systems. If there is a conflict with an existing entry in > /etc/passwd or /etc/group, then it should refuse to install. I have another use case for this: root-less .deb installs. While *in general* one needs root to run `dpkg -i`, most packages (75%) don't *actually* need arbitrary code to be ran as root to be installed[1]. By making user creation declarative, we could lower that number quite a bit, I believe. So my use case here is to reduce the attack surface for intrusions through untrusted .debs. I have documented various attack vectors here: https://wiki.debian.org/UntrustedDebs ... and this is clearly one of them. :) A. [1]: https://nthykier.wordpress.com/2016/04/26/putting-debian-packages-in-labelled-boxes/ signature.asc Description: Digital signature
Bug#685734: dpkg should manage system users and groups
Control: reopen -1 On Sat, 2012-08-25 at 21:19:10 +0200, Guillem Jover wrote: On Fri, 2012-08-24 at 07:23:57 +0200, Harald Dunkel wrote: Package: dpkg Version: 1.16.8 Severity: wishlist It would be very nice if dpkg could manage system users and groups created for each package. I've pondered about this in the past and commented on it further when Lars brought it up some time ago: http://blog.liw.fi/posts/addsysuser/ In general I think it seems like a good idea, but serious consideration would be required before designing and implementing something like this. At the moment I've got GID 105 for dbus on host A, while 105 is used for saned on host B (just as an example). This is a severe problem when A's root partition is visible somehow on B, e.g. on a central backup server, or on an LXC server managing the client rootfs in its own name space. I would like to tell dpkg to use GID 105 for the dbus package on all systems. If there is a conflict with an existing entry in /etc/passwd or /etc/group, then it should refuse to install. Do you think this could be done? While it could certainly be done, I don't think that this is by itself a compelling reason to implement the above, because you need to sync the normal user and groups ids too for example, at which point you are relying already on another method to sync the passwd dbs. In this case the easiest as, Gergely has pointed out, is to just pre-create the system users and groups with a fixed id. Sorry, didn't mean to close this just yet. thanks, guillem -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685734: dpkg should manage system users and groups
Harald Dunkel ha...@afaics.de writes: I would like to tell dpkg to use GID 105 for the dbus package on all systems. If there is a conflict with an existing entry in /etc/passwd or /etc/group, then it should refuse to install. You can pre-create the dbus group with GID 105 on all machines, so once the package is installed, the group will already be present, and it won't re-create it. -- |8] -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#685734: dpkg should manage system users and groups
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Package: dpkg Version: 1.16.8 Severity: wishlist It would be very nice if dpkg could manage system users and groups created for each package. At the moment I've got GID 105 for dbus on host A, while 105 is used for saned on host B (just as an example). This is a severe problem when A's root partition is visible somehow on B, e.g. on a central backup server, or on an LXC server managing the client rootfs in its own name space. I would like to tell dpkg to use GID 105 for the dbus package on all systems. If there is a conflict with an existing entry in /etc/passwd or /etc/group, then it should refuse to install. Do you think this could be done? Harri -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlA3D+gACgkQUTlbRTxpHjcokgCghGvRua6PuEJCuItjg4iFocbb mMwAniXJfrhFNNTj4OIJ6rU45hiMuT6q =sbAe -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org