Re: strawman proposal: homed directories for users

2024-10-11 Thread Michael Catanzaro
On Thu, Oct 10 2024 at 05:36:25 PM +02:00:00, Lennart Poettering 
 wrote:

I wished Fedora would focus more on making Measured Boot by default a
thing (other distros are working towards that, for example SUSE has
been investing in that), but Fedora is not precisely leading in this
effort right now.


At this point, I think the main obstacle is there are not really any 
humans working to make it happen. I think we have interest and 
willingness, but this isn't a small project and it won't develop itself.



--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-11 Thread Simo Sorce
On Fri, 2024-10-11 at 09:43 +0200, Lennart Poettering wrote:
> On Do, 10.10.24 17:22, Simo Sorce (s...@redhat.com) wrote:
> 
> > On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> > > On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
> > > 
> > > > 
> > > 
> > > This was again a reference to the fact that IPA folks aren't willing
> > > to restrict their allocations to some reasonable UID range, as
> > > mentoined elsewhere in this thread.
> > > 
> > 
> > Can you stop with this please?
> > This is absolutely not true is starting to become really annoying and
> > tiresome, let's please not do that.
> > 
> > It has been explained to you by me (and in person years ago) and others
> > multiple times that FreeIPA has a fixed range it picks from, but to
> > allow *multiple* domains to interoperate it picks a subrange from that
> > big one fixed range, which is high up in the "millions* (I forget the
> > exact range but I think 1M-2M).
> 
> Stephen said in this very thread the IPA range is 10K…2010K.
> 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IO33GOYAHHTRL7LIGXW5WJQNIUYW2WND/
> 
> So what is it now?
> 
> The difference is pretty relevant, because 10K means 16bit range, and
> coverage of the special Linux UIDs 65535, 65534.
> 
> > As an example this is my personal domain user which I installed ages
> > ago and has this record:
> > 
> > $ getent passwd simo
> > simo:*:164903:164903:Simo Sorce:/home/simo:/bin/bash
> > 
> > As you can see there is no conflict with any reserved ID, please get
> > your facts straight.
> 
> Well, you guys are contradicting each other!
> 
> Can you please tell me the accurate fixed range that IPA allocates
> from? I heard various things now:
> 
>10K…2010K (Stephen)
>1M…2M (you, above)
>200K…2G (somewhere in the IPA docs)
> 
> What is it now?

Alexander Bokovoy gave you a document more than once over the years.
The total range IPA picks from by default is 200K-2G, from which an IPA
domain picks a random 200K range by default and sticks to it for the
life of the domain.

I just said in the millions, because that is generally what happens, I
wasn't trying to be exact, because it doesn't matter, it is clearly
outside of the danger zone, and for the purpose of the discussion it
didn't matter to be exact.

> 
> if 1M…2M is right I'd be quite happy actually, that's a managable
> range, I'd be happy make systemd respect that. Alas, I think it's not
> actually accurate, is it?
> 
> 10K…2010K would be highly problematic, because it overlaps with said
> spcial Linux UIDs, and is 16bit and so on.
> 
> 200K…2G would be problematic too, for example it conflicts with where
> local subuid/subgid allocates from (524288…60010).

Local subuid/subgid things came a decade+ after FreeIPA had established
ranges, and as you said it is a bad idea to use subuids, I agree with
that, so I do not care that we conflict.

Look a 32bit UID range is just ridiculous, it *cannot* work for
everybody, so conflicts will just happens if you take many unmanaged
machines in aggregate. In domains that need conflict free IDs
administrator have to be involved and have to make reasonable choices
and carve out pieces where there is a conflict.

This is an unsolvable problem with the way the Linux kernel manages
IDs, The solution exist in the industry and it is what Microsoft calls
SIDs, if we had that we would be reserving special domain SID spaces
for various special purposes and leave others for actual real user
domain IDs.

Unfortunately nobody wants to introduce such a concept in the Linux
kernel, so we'll live with conflicts for the forseable future.


Simo.

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-11 Thread Lennart Poettering
On Do, 10.10.24 17:22, Simo Sorce (s...@redhat.com) wrote:

> On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> > On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
> >
> > >
> >
> > This was again a reference to the fact that IPA folks aren't willing
> > to restrict their allocations to some reasonable UID range, as
> > mentoined elsewhere in this thread.
> >
>
> Can you stop with this please?
> This is absolutely not true is starting to become really annoying and
> tiresome, let's please not do that.
>
> It has been explained to you by me (and in person years ago) and others
> multiple times that FreeIPA has a fixed range it picks from, but to
> allow *multiple* domains to interoperate it picks a subrange from that
> big one fixed range, which is high up in the "millions* (I forget the
> exact range but I think 1M-2M).

Stephen said in this very thread the IPA range is 10K…2010K.

https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/IO33GOYAHHTRL7LIGXW5WJQNIUYW2WND/

So what is it now?

The difference is pretty relevant, because 10K means 16bit range, and
coverage of the special Linux UIDs 65535, 65534.

> As an example this is my personal domain user which I installed ages
> ago and has this record:
>
> $ getent passwd simo
> simo:*:164903:164903:Simo Sorce:/home/simo:/bin/bash
>
> As you can see there is no conflict with any reserved ID, please get
> your facts straight.

Well, you guys are contradicting each other!

Can you please tell me the accurate fixed range that IPA allocates
from? I heard various things now:

   10K…2010K (Stephen)
   1M…2M (you, above)
   200K…2G (somewhere in the IPA docs)

What is it now?

if 1M…2M is right I'd be quite happy actually, that's a managable
range, I'd be happy make systemd respect that. Alas, I think it's not
actually accurate, is it?

10K…2010K would be highly problematic, because it overlaps with said
spcial Linux UIDs, and is 16bit and so on.

200K…2G would be problematic too, for example it conflicts with where
local subuid/subgid allocates from (524288…60010).

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-10 Thread Alexander Bokovoy

On Чцв, 10 кас 2024, Stephen Gallagher wrote:

On Thu, Oct 10, 2024 at 5:23 PM Simo Sorce  wrote:


On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
>
> >
>
> This was again a reference to the fact that IPA folks aren't willing
> to restrict their allocations to some reasonable UID range, as
> mentoined elsewhere in this thread.
>

Can you stop with this please?
This is absolutely not true is starting to become really annoying and
tiresome, let's please not do that.

It has been explained to you by me (and in person years ago) and others
multiple times that FreeIPA has a fixed range it picks from, but to
allow *multiple* domains to interoperate it picks a subrange from that
big one fixed range, which is high up in the "millions* (I forget the
exact range but I think 1M-2M).

As an example this is my personal domain user which I installed ages
ago and has this record:

$ getent passwd simo
simo:*:164903:164903:Simo Sorce:/home/simo:/bin/bash

As you can see there is no conflict with any reserved ID, please get
your facts straight.

Now clearly older Unixes are dead, and NFS has finally come out of the
stone age and should be able to handle 32 bit ids everywhere, so there
is less need to allocate in a low range, but UIDs in long lived
organizations are really hard to change. At RH my Corporate uid is in
the low range for historical reasons (there have been at least two
migration through NIS and then LDAP servers and finally IPA since I
joined a couple of eons ago), and IPA serves it and it is fine.

Just to be clear, IPA came out a more than a decade before systemd
started looking into any of this, and it was a more than decade after
Samba had already dealt with UID mapping in AD domains.
Ranges are always local and it is unlikely a system will need to use
two competing allocation technologies, so this is not a big deal in any
case, but at least please lets try to get facts rights and not try to
cast some kind of blame where there is none to cast.

What is reasonable or not depends on the historical circumstances of
development and deployment, and can be changed as needed, you can
simply open an issue on the freeipa project and discuss there the pros
and cons, if the current defaults are not ok for whatever reason,
nobody will bite you.

The reason why historically IPA *had to* allow to use a range below 65k
is that we had compatibility requirements with older NFS and other Unix
systems that could handle no more than 65535 ids (remember this project
is now 17 years old and derive a lot from a project that is 30+ years
old), and a systems of that era.

> Let me emphasize again, right now, the UID range IPA takes possession
> of collides on Fedora currently with:
>
> 1. classic UNIX users created via /etc/passwd adduser,
>i.e. shadow-utils and stuff. As mentioned elsewhre, logind.defs
>says this range goes to 60K, but IPA already starts before that.
> 2. special Linux UIDs 65535, 65534
> 2. dynamic service users allocated via DynamicUser=1 in systemd unit
>files
> 3. systemd-homed users
>
> (and more...)

Yeah this is simply misleading, FreeIPA *allows* an administrator to
overlap those ranges for legacy compatibility reasons, but it has never
been the default.




Some of this is my fault. I responded earlier in the thread and cited
(incorrectly) that the defaults covered a range from 10,000 -
2,010,000. My memory was faulty and I got the wrong offset for the
low-end. Then I got sick yesterday and the conversation ran ahead
without me being able to correct that misstatement. I can't seem to
dig up the actual lower bound, but I think it's more like a range of
200,000 - 2,200,000 than my original statement.


When we had our previous round of discussions with Lennart, I created a
document that outlines FreeIPA identity mapping details. It is published
at https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html.
Perhaps, it is still not enough to explain the field we are dealing
with...





> > > > Can you configure autologin for those uses cases (like kiosks or a home
> > > > entertainment system) where that makes sense to do ?
> > >
> > > No you cannot, the security model relies on unlock keys to be provided
> > > before the home directory is accessible. It's a strength of the model,
> > > not a weakness, that user data is actually protected by the provided
> > > user authentication credentials.
> >
> > So that is another use case that you need to know in advance before
> > installation, how hard it is to "convert" the system if you made the
> > incorrect choice?
>
> You can just copy out the files/chown them and add a classic UNIX user
> record if you wish.

Ok so this requires a highly skilled person, a regular person would
have to create a new user from the UI (assuming it gives the option to
specify what kind of home you get) and somehow copy data over from one
account to the other, which is additional wo

Re: strawman proposal: homed directories for users

2024-10-10 Thread Stephen Gallagher
On Thu, Oct 10, 2024 at 5:23 PM Simo Sorce  wrote:
>
> On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> > On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
> >
> > >
> >
> > This was again a reference to the fact that IPA folks aren't willing
> > to restrict their allocations to some reasonable UID range, as
> > mentoined elsewhere in this thread.
> >
>
> Can you stop with this please?
> This is absolutely not true is starting to become really annoying and
> tiresome, let's please not do that.
>
> It has been explained to you by me (and in person years ago) and others
> multiple times that FreeIPA has a fixed range it picks from, but to
> allow *multiple* domains to interoperate it picks a subrange from that
> big one fixed range, which is high up in the "millions* (I forget the
> exact range but I think 1M-2M).
>
> As an example this is my personal domain user which I installed ages
> ago and has this record:
>
> $ getent passwd simo
> simo:*:164903:164903:Simo Sorce:/home/simo:/bin/bash
>
> As you can see there is no conflict with any reserved ID, please get
> your facts straight.
>
> Now clearly older Unixes are dead, and NFS has finally come out of the
> stone age and should be able to handle 32 bit ids everywhere, so there
> is less need to allocate in a low range, but UIDs in long lived
> organizations are really hard to change. At RH my Corporate uid is in
> the low range for historical reasons (there have been at least two
> migration through NIS and then LDAP servers and finally IPA since I
> joined a couple of eons ago), and IPA serves it and it is fine.
>
> Just to be clear, IPA came out a more than a decade before systemd
> started looking into any of this, and it was a more than decade after
> Samba had already dealt with UID mapping in AD domains.
> Ranges are always local and it is unlikely a system will need to use
> two competing allocation technologies, so this is not a big deal in any
> case, but at least please lets try to get facts rights and not try to
> cast some kind of blame where there is none to cast.
>
> What is reasonable or not depends on the historical circumstances of
> development and deployment, and can be changed as needed, you can
> simply open an issue on the freeipa project and discuss there the pros
> and cons, if the current defaults are not ok for whatever reason,
> nobody will bite you.
>
> The reason why historically IPA *had to* allow to use a range below 65k
> is that we had compatibility requirements with older NFS and other Unix
> systems that could handle no more than 65535 ids (remember this project
> is now 17 years old and derive a lot from a project that is 30+ years
> old), and a systems of that era.
>
> > Let me emphasize again, right now, the UID range IPA takes possession
> > of collides on Fedora currently with:
> >
> > 1. classic UNIX users created via /etc/passwd adduser,
> >i.e. shadow-utils and stuff. As mentioned elsewhre, logind.defs
> >says this range goes to 60K, but IPA already starts before that.
> > 2. special Linux UIDs 65535, 65534
> > 2. dynamic service users allocated via DynamicUser=1 in systemd unit
> >files
> > 3. systemd-homed users
> >
> > (and more...)
>
> Yeah this is simply misleading, FreeIPA *allows* an administrator to
> overlap those ranges for legacy compatibility reasons, but it has never
> been the default.
>


Some of this is my fault. I responded earlier in the thread and cited
(incorrectly) that the defaults covered a range from 10,000 -
2,010,000. My memory was faulty and I got the wrong offset for the
low-end. Then I got sick yesterday and the conversation ran ahead
without me being able to correct that misstatement. I can't seem to
dig up the actual lower bound, but I think it's more like a range of
200,000 - 2,200,000 than my original statement.

> > > > > Can you configure autologin for those uses cases (like kiosks or a 
> > > > > home
> > > > > entertainment system) where that makes sense to do ?
> > > >
> > > > No you cannot, the security model relies on unlock keys to be provided
> > > > before the home directory is accessible. It's a strength of the model,
> > > > not a weakness, that user data is actually protected by the provided
> > > > user authentication credentials.
> > >
> > > So that is another use case that you need to know in advance before
> > > installation, how hard it is to "convert" the system if you made the
> > > incorrect choice?
> >
> > You can just copy out the files/chown them and add a classic UNIX user
> > record if you wish.
>
> Ok so this requires a highly skilled person, a regular person would
> have to create a new user from the UI (assuming it gives the option to
> specify what kind of home you get) and somehow copy data over from one
> account to the other, which is additional work for mgmt tools.
>
> > > > As I understand the IPA/sssd model is a lot more traditional there,
> > > > and does not consider the user's data as something to pr

Re: strawman proposal: homed directories for users

2024-10-10 Thread Simo Sorce
On Thu, 2024-10-10 at 17:29 +0200, Lennart Poettering wrote:
> On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:
> 
> > 
> 
> This was again a reference to the fact that IPA folks aren't willing
> to restrict their allocations to some reasonable UID range, as
> mentoined elsewhere in this thread.
> 

Can you stop with this please?
This is absolutely not true is starting to become really annoying and
tiresome, let's please not do that.

It has been explained to you by me (and in person years ago) and others
multiple times that FreeIPA has a fixed range it picks from, but to
allow *multiple* domains to interoperate it picks a subrange from that
big one fixed range, which is high up in the "millions* (I forget the
exact range but I think 1M-2M).

As an example this is my personal domain user which I installed ages
ago and has this record:

$ getent passwd simo
simo:*:164903:164903:Simo Sorce:/home/simo:/bin/bash

As you can see there is no conflict with any reserved ID, please get
your facts straight.

Now clearly older Unixes are dead, and NFS has finally come out of the
stone age and should be able to handle 32 bit ids everywhere, so there
is less need to allocate in a low range, but UIDs in long lived
organizations are really hard to change. At RH my Corporate uid is in
the low range for historical reasons (there have been at least two
migration through NIS and then LDAP servers and finally IPA since I
joined a couple of eons ago), and IPA serves it and it is fine.

Just to be clear, IPA came out a more than a decade before systemd
started looking into any of this, and it was a more than decade after
Samba had already dealt with UID mapping in AD domains.
Ranges are always local and it is unlikely a system will need to use
two competing allocation technologies, so this is not a big deal in any
case, but at least please lets try to get facts rights and not try to
cast some kind of blame where there is none to cast.

What is reasonable or not depends on the historical circumstances of
development and deployment, and can be changed as needed, you can
simply open an issue on the freeipa project and discuss there the pros
and cons, if the current defaults are not ok for whatever reason,
nobody will bite you.

The reason why historically IPA *had to* allow to use a range below 65k
is that we had compatibility requirements with older NFS and other Unix
systems that could handle no more than 65535 ids (remember this project
is now 17 years old and derive a lot from a project that is 30+ years
old), and a systems of that era.

> Let me emphasize again, right now, the UID range IPA takes possession
> of collides on Fedora currently with:
> 
> 1. classic UNIX users created via /etc/passwd adduser,
>i.e. shadow-utils and stuff. As mentioned elsewhre, logind.defs
>says this range goes to 60K, but IPA already starts before that.
> 2. special Linux UIDs 65535, 65534
> 2. dynamic service users allocated via DynamicUser=1 in systemd unit
>files
> 3. systemd-homed users
> 
> (and more...)

Yeah this is simply misleading, FreeIPA *allows* an administrator to
overlap those ranges for legacy compatibility reasons, but it has never
been the default.

> > > > Can you configure autologin for those uses cases (like kiosks or a home
> > > > entertainment system) where that makes sense to do ?
> > > 
> > > No you cannot, the security model relies on unlock keys to be provided
> > > before the home directory is accessible. It's a strength of the model,
> > > not a weakness, that user data is actually protected by the provided
> > > user authentication credentials.
> > 
> > So that is another use case that you need to know in advance before
> > installation, how hard it is to "convert" the system if you made the
> > incorrect choice?
> 
> You can just copy out the files/chown them and add a classic UNIX user
> record if you wish.

Ok so this requires a highly skilled person, a regular person would
have to create a new user from the UI (assuming it gives the option to
specify what kind of home you get) and somehow copy data over from one
account to the other, which is additional work for mgmt tools.

> > > As I understand the IPA/sssd model is a lot more traditional there,
> > > and does not consider the user's data as something to protect? I'd
> > > call that highly problematic, but I guess it's from a different time.
> > 
> > It is not from a different time, it is from a different use case.
> > In general you expect full disk encryption on corporate/centrally
> > managed machines, not per-user encryption, unless you can escrow per-
> > user encryption credentials, which I do not think systemd-homed is well
> > positioned to do currently.
> 
> I am pretty sure you want both, as mentioned: encryption of system
> data to the TPM, and user data to a personal credential.

For corporate machines FDE with a single escrow key is more cost
effective so they prefer to do it that way, but I am agnostic here,
each on

Re: strawman proposal: homed directories for users

2024-10-10 Thread Lennart Poettering
On Mi, 09.10.24 20:17, Fedora Development ML (devel@lists.fedoraproject.org) 
wrote:

> Am 09.10.24 um 17:12 schrieb Simo Sorce:
> > > Hence I am very curious where you think the security issues are?
> > Sorry, I did not mean in any way to imply there are open security issue
> > with systemd-homed, I meant only that we need to analyze the security
> > assumptions in the context of making this a default and ensure we
> > protect what we mean to protect, and address the risk profile we
> > define.
>
> I want to add something here. FDE has two main purposes for mobile
> devices (e.g. a Laptop):
>
> 1. prevent a thief of getting the data after the device is stolen
> 2. prevent an attacker installing or exchanging installed software with
> a version of their own (e.g. installing a keylogger) while the owner
> isn't looking
>
> Number 1 is also taken care of by homed (if it does the encryption), if
> you only have your data in your home directory (my father for example
> does not, he has an extra disk with his most important data mounted to
> ~/data, yes, mounted INTO his home directory).
>
> FDE alone obviously can't take care of number 2 alone, but needs at
> least something like SecureBoot and a protected BIOS (or similar). But
> if that's a given, it's pretty darn hard for attacker to do so (although
> obviously not impossible, but I don't think there's a system where you
> can say that).
> With homed on the other hand, I don't think that would work. As far as I
> understand it, things like SecureBoot only work up until including the
> kernel, but not for e.g. the init system, or homed itself. So an
> attacker could take the disk, mount it on one of his devices, exchange
> some system software with their own version (after all, it's not checked
> that this is an ok binary) and then put the disk back into the device.
>
> So, if you have a mobile device (like e.g. a Laptop), I don't think that
> using JUST homed (even with SecureBoot) would be enough anyway.

The model I am trying to push people towards is to guarantee OS
integrity via Measured Boot, systemd brings a lot of infrastructure
for that these days to provide TPM measurements, to manage TPM
policies based on that, and to the hook up FDE to that.

I think Secure Boot is much less interesting tech, since – at least in
its incarnation for PCs – it is at best a very very wide allowlist of
things, that because it is so unprecise is effectively just a denylist
of known bad stuff, not more.

A security policy linked to Measured Boot is a much fine grained
approach, i.e. it can lock disk encryption to the OS vendor, the
device vendor and its configuration.

I wished Fedora would focus more on making Measured Boot by default a
thing (other distros are working towards that, for example SUSE has
been investing in that), but Fedora is not precisely leading in this
effort right now.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-10 Thread Lennart Poettering
On Mi, 09.10.24 11:12, Simo Sorce (s...@redhat.com) wrote:

> > I am pretty sure the security model is a lot cleaner than anything the
> > sssd/IPA world would do, because we lock disk encryption to user
> > provided credentials, FIDO2/PKCS#11 and such, and can suspend the home
> > dir's encryption key on suspend. It should be a massive step up in
> > security.
>
> You can lock a laptop disk via TPM and similar with clevis/tang as
> well, w/o tying it to a single user, how you do it depends on what your
> constraints are.

I am pretty sure secure systems should lock down everything: the
per-system stuff locked to a local TPM, and the per-user stuff locked
to a password or FIDO2 token or so owned by the user.

I'd suggest to avoid the tpm stuff in clevis/tang btw, the stuff
systemd does natively is a ton more advanced, i.e. encrypts TPM
communication on the bus, has a sane story around PCR updates and so on.

> > No. systemd-homed user records are signed. User records not signed by
> > a recognized key are not accepted.
> >
> > I am not sure if sssd/IPA stuff has something similar? is there any
> > cryptographic integration protection part of its user database?
>
> SSSD/IPA only accept users from the domain they are bound to via the
> keytab on the disk, all the data is authenticated that way, then stored
> locally. The assumption is that the disk where the cache is stored is
> encrypted of course.

Right. homed's model is a lot stricter there, we generally require
offline security, i.e. the user records themselves are protected
cryptographically, we never rely on some storage hopefully being
trusted.

(in particular as FDE as typically deployed on linux doesn't even
authenticate the data at all, strictly speaking, even though people
assume it does)

> > > Will it now allow this other user to access files and directories that
> > > should be reserved to other users?
> >
> > No. At moment the binding of the home dir to the local host is
> > established a free UID/GID is taken from a very specific range. This
> > should make collisions unlikely. (though not impossible, because this
> > system of course relies on everyone being equally careful before
> > taking possession of a UID/GID, and as I understand the IPA world is
> > systematically opposed to that, which is sad, but nothing I can
> > change).
>
> I do not understand what you mean with this comment, in a domain all
> UIDs are consistent, that said you can also do local assignment in
> theory, it just is rarely a good idea (NFS doe snot support that, it is
> the externalities of network protocols assuming consistent IDs that
> force our hand in default configurations).

This was again a reference to the fact that IPA folks aren't willing
to restrict their allocations to some reasonable UID range, as
mentoined elsewhere in this thread.

Let me emphasize again, right now, the UID range IPA takes possession
of collides on Fedora currently with:

1. classic UNIX users created via /etc/passwd adduser,
   i.e. shadow-utils and stuff. As mentioned elsewhre, logind.defs
   says this range goes to 60K, but IPA already starts before that.
2. special Linux UIDs 65535, 65534
2. dynamic service users allocated via DynamicUser=1 in systemd unit
   files
3. systemd-homed users

(and more...)

> > > Can you configure autologin for those uses cases (like kiosks or a home
> > > entertainment system) where that makes sense to do ?
> >
> > No you cannot, the security model relies on unlock keys to be provided
> > before the home directory is accessible. It's a strength of the model,
> > not a weakness, that user data is actually protected by the provided
> > user authentication credentials.
>
> So that is another use case that you need to know in advance before
> installation, how hard it is to "convert" the system if you made the
> incorrect choice?

You can just copy out the files/chown them and add a classic UNIX user
record if you wish.

> > As I understand the IPA/sssd model is a lot more traditional there,
> > and does not consider the user's data as something to protect? I'd
> > call that highly problematic, but I guess it's from a different time.
>
> It is not from a different time, it is from a different use case.
> In general you expect full disk encryption on corporate/centrally
> managed machines, not per-user encryption, unless you can escrow per-
> user encryption credentials, which I do not think systemd-homed is well
> positioned to do currently.

I am pretty sure you want both, as mentioned: encryption of system
data to the TPM, and user data to a personal credential.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://

Re: strawman proposal: homed directories for users

2024-10-09 Thread Owen Taylor
On Wed, Oct 9, 2024 at 2:19 PM Kilian Hanich via devel <
devel@lists.fedoraproject.org> wrote:

> Am 09.10.24 um 17:12 schrieb Simo Sorce:
> >> Hence I am very curious where you think the security issues are?
> > Sorry, I did not mean in any way to imply there are open security issue
> > with systemd-homed, I meant only that we need to analyze the security
> > assumptions in the context of making this a default and ensure we
> > protect what we mean to protect, and address the risk profile we
> > define.
>
> I want to add something here. FDE has two main purposes for mobile
> devices (e.g. a Laptop):
>
> 1. prevent a thief of getting the data after the device is stolen
> 2. prevent an attacker installing or exchanging installed software with
> a version of their own (e.g. installing a keylogger) while the owner
> isn't looking
>
> Number 1 is also taken care of by homed (if it does the encryption), if
> you only have your data in your home directory (my father for example
> does not, he has an extra disk with his most important data mounted to
> ~/data, yes, mounted INTO his home directory).
>
> FDE alone obviously can't take care of number 2 alone, but needs at
> least something like SecureBoot and a protected BIOS (or similar). But
> if that's a given, it's pretty darn hard for attacker to do so (although
> obviously not impossible, but I don't think there's a system where you
> can say that).
>

There's a caveat here - SecureBoot as currently implemented in Fedora does
not give any protection against this type of attack, because the initrd -
that prompts for your password - is not protected by SecureBoot.

The rough plan that we came up a couple of years ago (
https://discussion.fedoraproject.org/t/future-of-encryption-in-fedora-desktop-variants/80397/19)
was:
 - Encrypt everything but home directories using a TPM-sealed encryption
key - and *no password*
 - Encrypt the home directories with user credentials (I wasn't sure at
that point whether homed made sense, but there's been progress in GNOME
integration, so it's more attractive these days)

One of the things that has kept us from making progress here is that
progress on Unified Kernel Images has been slow, and there's no firm plan
about how to extend it to handle desktop/laptop installations.

With homed on the other hand, I don't think that would work. As far as I
> understand it, things like SecureBoot only work up until including the
> kernel, but not for e.g. the init system, or homed itself. So an
> attacker could take the disk, mount it on one of his devices, exchange
> some system software with their own version (after all, it's not checked
> that this is an ok binary) and then put the disk back into the device.


Yes, but that's true of FDE as well, unless the initrd is protected by
secure boot. (*)

- Owen

(*) Direct protection of the initrd would be refusing to run the initrd
unless it was signed by an enrolled key. This is very hard to achieve - it
requires the user to have a BIOS password, etc. This is why the plan was
indirect protection - any initrd could run, but unless it was signed
correctly, it would be unable to load the system partition encryption key
from the TPM.
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-09 Thread Kilian Hanich via devel

Am 09.10.24 um 17:12 schrieb Simo Sorce:

Hence I am very curious where you think the security issues are?

Sorry, I did not mean in any way to imply there are open security issue
with systemd-homed, I meant only that we need to analyze the security
assumptions in the context of making this a default and ensure we
protect what we mean to protect, and address the risk profile we
define.


I want to add something here. FDE has two main purposes for mobile
devices (e.g. a Laptop):

1. prevent a thief of getting the data after the device is stolen
2. prevent an attacker installing or exchanging installed software with
a version of their own (e.g. installing a keylogger) while the owner
isn't looking

Number 1 is also taken care of by homed (if it does the encryption), if
you only have your data in your home directory (my father for example
does not, he has an extra disk with his most important data mounted to
~/data, yes, mounted INTO his home directory).

FDE alone obviously can't take care of number 2 alone, but needs at
least something like SecureBoot and a protected BIOS (or similar). But
if that's a given, it's pretty darn hard for attacker to do so (although
obviously not impossible, but I don't think there's a system where you
can say that).
With homed on the other hand, I don't think that would work. As far as I
understand it, things like SecureBoot only work up until including the
kernel, but not for e.g. the init system, or homed itself. So an
attacker could take the disk, mount it on one of his devices, exchange
some system software with their own version (after all, it's not checked
that this is an ok binary) and then put the disk back into the device.

So, if you have a mobile device (like e.g. a Laptop), I don't think that
using JUST homed (even with SecureBoot) would be enough anyway.


Regards

Kilian Hanich
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-09 Thread Simo Sorce
On Tue, 2024-10-08 at 17:57 +0200, Lennart Poettering wrote:
> On Mo, 07.10.24 12:59, Simo Sorce (s...@redhat.com) wrote:
> 
> > > The homed approach would make other things possible too. For example,
> > > sharing of /home in dual-boot scenarios. Right now a manual setup
> > > needs to be done, and login details need to be propagated each time,
> > > but with homed, dual-boot and reinstall are very similar scenarios,
> > > so if we get one to work, we get the other one for free.
> > > 
> > > Zbyszek
> > 
> > The homed approach can work only in cases where you basically have only
> > one user and all the OSs use the same approach.
> 
> Hmm, what? No, homed works fine with multiple users. I have multiple
> users right now on my local system.

Here I was talking specifically about the case of a multi-boot system.

In general it is not practical for large deployments to manually carry
around all user data and allow mounting of the home on multiple
systems. So it is by definition a "single user system", even though you
can have multiple user drives, sorry for the confusion. 

> 
> > I see a few issues with security that needs to be addressed.
> 
> Like what? Please be explicit, otherwise smells like FUD.

Keep in mind my perspective is one of large deployments, not single
system cared for by their own admin, so do not take my comment to the
simple single-user case.

> I am pretty sure the security model is a lot cleaner than anything the
> sssd/IPA world would do, because we lock disk encryption to user
> provided credentials, FIDO2/PKCS#11 and such, and can suspend the home
> dir's encryption key on suspend. It should be a massive step up in
> security.

You can lock a laptop disk via TPM and similar with clevis/tang as
well, w/o tying it to a single user, how you do it depends on what your
constraints are.

> Hence I am very curious where you think the security issues are?

Sorry, I did not mean in any way to imply there are open security issue
with systemd-homed, I meant only that we need to analyze the security
assumptions in the context of making this a default and ensure we
protect what we mean to protect, and address the risk profile we
define.

> > What happens if I plug a disk into a laptop that sports a "homed"
> > directory, will the laptop suddenly allow a stranger to just login into
> > the machine?
> 
> No. systemd-homed user records are signed. User records not signed by
> a recognized key are not accepted.
> 
> I am not sure if sssd/IPA stuff has something similar? is there any
> cryptographic integration protection part of its user database?

SSSD/IPA only accept users from the domain they are bound to via the
keytab on the disk, all the data is authenticated that way, then stored
locally. The assumption is that the disk where the cache is stored is
encrypted of course.

> > What happens if there are conflicts of uid or gid ?
> 
> In the systemd-homed world uid/gid are assigned when the home dir is
> first activated on a host. A free UID/GID is allocated then, and
> idmapping is used to ensure that the home dir appears owned by the
> right user (or in other words: on disk all files are owned by
> user/group "nobody", only the idmapping makes them appear owned by the
> user locally). This UID/GID binding is persisted on the local system,
> but can differ between systems.
> 
> > Will it now allow this other user to access files and directories that
> > should be reserved to other users?
> 
> No. At moment the binding of the home dir to the local host is
> established a free UID/GID is taken from a very specific range. This
> should make collisions unlikely. (though not impossible, because this
> system of course relies on everyone being equally careful before
> taking possession of a UID/GID, and as I understand the IPA world is
> systematically opposed to that, which is sad, but nothing I can
> change).

I do not understand what you mean with this comment, in a domain all
UIDs are consistent, that said you can also do local assignment in
theory, it just is rarely a good idea (NFS doe snot support that, it is
the externalities of network protocols assuming consistent IDs that
force our hand in default configurations).

> 
> > What happen if you want to change the user to be a corporate directory
> > provided one?
> 
> Enterprisey IPA/SSSD/AD/LDAP style stuff really is not in focus for
> systemd-homed, as mentioned many times.

Ok, so this already means that Fedora would need 2 different behaviors
in the single user vs laptop in a domain configuration. That is an
important thing to point out.

> > Can you configure autologin for those uses cases (like kiosks or a home
> > entertainment system) where that makes sense to do ?
> 
> No you cannot, the security model relies on unlock keys to be provided
> before the home directory is accessible. It's a strength of the model,
> not a weakness, that user data is actually protected by the provided
> user authentication credentials.

So that is another us

Re: strawman proposal: homed directories for users

2024-10-09 Thread Barry Scott


> On 9 Oct 2024, at 10:04, Zbigniew Jędrzejewski-Szmek  
> wrote:
> 
> On Tue, Oct 08, 2024 at 06:14:29PM +0100, Barry Scott wrote:
>>> On 4 Oct 2024, at 16:05, Zbigniew Jędrzejewski-Szmek  
>>> wrote:
>>> 
>>> Hi folks,
>>> 
>>> I was recently doing a bunch of test reinstalls of Fedora [1],
>>> looking to see if it's complicated to retain the user directories
>>> during a reinstall. The answer is, sadly, that it's possible only with
>>> some manual tinkering. This is a known problem [2].
>>> 
>>> With a little bit of trickery, Anaconda will let the "home" subvolume
>>> be and install the system to a new "root" subvolume, so user data is
>>> preserved. But then after a reboot a new user will be created, because
>>> the old user is not hooked up into /etc/passwd.
>>> 
>>> We actually have a partial solution for this: systemd-homed.
>>> With systemd-homed the information about the user is maintained in the
>>> user directory/subvolume/partition, e.g. /home/username.homedir.
>>> After a reinstall, ideally nothing needs to be done and the user
>>> account is ready to be used.
>> 
>> I like the idea of being able to reinstall and keep the /home.
>> But I'd rather not use systemd-homed to get the feature.
>> I already have full-disk-encryption for security.
>> 
>> What about having the necessary meta data in a per user file in /home
>> and read that when doing the reinstall?
>> 
>> I would have /home/barry and /home/barry.metadata for example.
> 
> What you describe is pretty much the proposal you were replying to,
> just with different paths. You'd have (unencrypted)
> /home/barry.homedir/ and /home/barry.homedir/.identity and
> systemd-homed would create /home/barry/ with a bind mount.

> You mention FDE, but the proposal was explicitly about homed homes
> without encryption at the homed level. This kind of setup is often
> used with FDE.

I'll search for the docs on this style of use. Thanks for the heads up.

Barry


> 
> Zbyszek
> -- 
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-09 Thread Zbigniew Jędrzejewski-Szmek
On Tue, Oct 08, 2024 at 06:14:29PM +0100, Barry Scott wrote:
> > On 4 Oct 2024, at 16:05, Zbigniew Jędrzejewski-Szmek  
> > wrote:
> > 
> > Hi folks,
> > 
> > I was recently doing a bunch of test reinstalls of Fedora [1],
> > looking to see if it's complicated to retain the user directories
> > during a reinstall. The answer is, sadly, that it's possible only with
> > some manual tinkering. This is a known problem [2].
> > 
> > With a little bit of trickery, Anaconda will let the "home" subvolume
> > be and install the system to a new "root" subvolume, so user data is
> > preserved. But then after a reboot a new user will be created, because
> > the old user is not hooked up into /etc/passwd.
> > 
> > We actually have a partial solution for this: systemd-homed.
> > With systemd-homed the information about the user is maintained in the
> > user directory/subvolume/partition, e.g. /home/username.homedir.
> > After a reinstall, ideally nothing needs to be done and the user
> > account is ready to be used.
> 
> I like the idea of being able to reinstall and keep the /home.
> But I'd rather not use systemd-homed to get the feature.
> I already have full-disk-encryption for security.
> 
> What about having the necessary meta data in a per user file in /home
> and read that when doing the reinstall?
> 
> I would have /home/barry and /home/barry.metadata for example.

What you describe is pretty much the proposal you were replying to,
just with different paths. You'd have (unencrypted)
/home/barry.homedir/ and /home/barry.homedir/.identity and
systemd-homed would create /home/barry/ with a bind mount.

You mention FDE, but the proposal was explicitly about homed homes
without encryption at the homed level. This kind of setup is often
used with FDE.

Zbyszek
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-09 Thread Lennart Poettering
On Di, 08.10.24 22:21, Chris Murphy (li...@colorremedies.com) wrote:

> >> And at least on my setup with many read-only snapshots in
> >> ~/, permissions changes wouldn't be permitted, even by the root
> >> user.
> >
> > Not sure I grok what you are trying to say here?
>
> Read-only snapshot contents are immutable, even by the root user.

Sure, but that's fine in an idmapped world.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-09 Thread Lennart Poettering
On Mi, 09.10.24 09:59, Lennart Poettering (mzerq...@0pointer.de) wrote:

> That said, for compat with traditional subuid/subgid as per the table
> on https://systemd.io/UIDS-GIDS the UID/GID range 524288…1879048191 is
> mapped 1:1 on homed homes, thus if you use those things work as
> before.

Just to add that this, on Fedora, as per login.defs:

SUB_UID_MIN524288
SUB_UID_MAX 60010

Thus, you should all be set, by default, if you want to use subuid/subgid.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-09 Thread Lennart Poettering
On Di, 08.10.24 11:42, Chris Adams (li...@cmadams.net) wrote:

> Once upon a time, Lennart Poettering  said:
> > Oh, that hasn't been the case for a long time anymore. Nowadays files
> > on disk are owned by the "nobody" user always, and idmapped mounts are
> > used to map them transiently to the UID/GID assigned to the user on
> > the local machine.
>
> How do rootless containers work (with subuid/subgid) in that setup?

I think subuid/subgid is highly problematic and should go away. We
have better mechanisms these days, via idmapping (i.e. container files
on disk should never be owned by the uid/gid ranges they are actually
run in, but those should be dynamically allocated and mapped
dynamically via idmapping to the physical UID/GID range on disk)

That said, for compat with traditional subuid/subgid as per the table
on https://systemd.io/UIDS-GIDS the UID/GID range 524288…1879048191 is
mapped 1:1 on homed homes, thus if you use those things work as
before.

But again, just don't, subuid/subgid is a mistake if you ask me.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-09 Thread Lennart Poettering
On Di, 08.10.24 12:46, Stephen Gallagher (sgall...@redhat.com) wrote:

> I suspect you're talking past one another here; in practice, IPA has a
> random set of ID ranges that (IIRC) essentially owns the ID space of
> 10,000 - 2,010,000. (It's possible for the installer to set an
> arbitrary range outside that, but it's a custom choice). So you could
> probably reserve the IDs above 20,010,000 for homed in that situation.

Uh, that seems like a problematic choice for IPA. First of all within
that range is the UID 65534, i.e. the linux nobody/overflow/unmapped
UID. You should not delegate this UID for any users. Moreover, 65535
(the -1 value in 16bit) is special, as it indicates "don't change" in
various legacy APIs, old file systems and so on. Newer apis generally
use 4294967295 for that (i.e. -1 in 32bit), but for compat 65535
should be avoided to.

If you so will, the uids 0, 65534, 65535, 4294967295 all have some
special meaning to Linux, and should not be used for regular
users. Hence it's highly problematic if IPA just delegates 65534 or
65535 to its regular users, as you appear to suggest.

But there's more: container managers typically do not delegate more than 64K
UIDs to containers (that's what nspawn does, and as I understand, other
container managers map even less space by default). Yes, you can
delegate more if you do extra work, but it's not what happens by
default. This means, UIDs < 2^16 are more "valuable" than those >=
2^16. In particular for stuff that shall "just work" inside of
containers it's kinda relevant to stick to ranges <
2^16. (systemd-homed's local UID allocations qualify as that)

With your definitions above you basically take most of that range for
IPA as private property, and I think that's just not OK, it's leaves
no space for anyone else in the 16bit range really (under the
assumption that 1000…6 are for classic /etc/passwd users, which is
what Fedora's login.defs dictates).

(BTW: talking about login.defs: if IPA wants to take possession from
UID range 1 on, you are conflicting with Fedora's login.defs
definition which assigns the range 1000…6 to regular users,
i.e. /etc/passwd)

Hence, what I'd like to ask IPA to do do is first of all stay away
from the 65534 + 65535 UIDs, that's just a major bug if you ask
me. I'd then like IPA to say away from the regular user range declared
in login.defs, i.e. UIDs < 60K. But also: leave some room in the 16bit
range, outside of the regular user range for other users.

My suggestion: change IPA to allocate from the range 65536…524287
range or so. Or alternatively from 1879048192…2147483647, which would
mean it wouldn't conflict with anything else anymore.

I understand that existing IPA deployments ignore all this, and that's
bad but hard to change. But at the very least, maybe for future
installations suggest better ranges.

We documented all our UID assignments and their reasons here:

https://systemd.io/UIDS-GIDS/

It would be very wise if IPA maintained a similar document with its
assignments, and similar considerations regarding the special UID
ranges and everything. Double assignments like the login.defs or
overflow UID stuff really should be avoided, and good documentation
helps for that.

I'd also be happy to update the UID/GID table on aforementioned
systemd documentation and delegate some range explicitly to IPA (or
IPA-like usecases) there, but for that I'd need some committment that
at least future IPA installations would honour it.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Chris Murphy


On Tue, Oct 8, 2024, at 1:14 PM, Barry Scott wrote:

> I like the idea of being able to reinstall and keep the /home.
> But I'd rather not use systemd-homed to get the feature.

It's an explicit feature request for the new installer's "Guided" partitioning 
path. The current UI (also for Fedora 41) requires the use of the Custom/Manual 
partitioning path, and for the user to know there's a several tricks. [1]

It would be nice to have a spec on how to do this without user intervention, 
and have the installer and homed use it.


[1]
One is a little obvious, you need to locate and click on the existing home 
subvolume and assign it to the `/home` mount point. But the second trick is not 
at all obvious. You need to click on + to add a new mount point, specify `/` as 
the mounpoint, and leave the capacity field blank. Do this and the installer 
creates a new subvolume on the existing Btrfs for the use of `/` with your 
existing (populated) `/home` subvolume. 

Still another is UID matching, since the new /etc/passwd doesn't have your user 
added yet - at least with Workstation edition, the new user is created by GNOME 
Initial Setup. If it's a single user setup, the UID for the first user created 
is 1000, and so if you just go through that part of GNOME Initial Setup again, 
it will create the entry in /etc/passwd, but will not touch the existing 
directory in `/home` for UID 1000, but if something is off - well I haven't 
tested that. So there could be some fragility here.



> I already have full-disk-encryption for security.
>
> What about having the necessary meta data in a per user file in /home
> and read that when doing the reinstall?

Perhaps set an XATTR on such a subvolume, so that only subvolumes with the 
XATTR are searched for this metadata? Btrfs supports 2^64 subvolumes. A casual 
user could easily have hundreds. 

-- 
Chris Murphy
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Chris Murphy


On Tue, Oct 8, 2024, at 11:59 AM, Lennart Poettering wrote:
> On Mo, 07.10.24 20:55, Chris Murphy (li...@colorremedies.com) wrote:
>
>> And at least on my setup with many read-only snapshots in
>> ~/, permissions changes wouldn't be permitted, even by the root
>> user.
>
> Not sure I grok what you are trying to say here?

Read-only snapshot contents are immutable, even by the root user.


-- 
Chris Murphy
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Barry Scott


> On 4 Oct 2024, at 16:05, Zbigniew Jędrzejewski-Szmek  
> wrote:
> 
> Hi folks,
> 
> I was recently doing a bunch of test reinstalls of Fedora [1],
> looking to see if it's complicated to retain the user directories
> during a reinstall. The answer is, sadly, that it's possible only with
> some manual tinkering. This is a known problem [2].
> 
> With a little bit of trickery, Anaconda will let the "home" subvolume
> be and install the system to a new "root" subvolume, so user data is
> preserved. But then after a reboot a new user will be created, because
> the old user is not hooked up into /etc/passwd.
> 
> We actually have a partial solution for this: systemd-homed.
> With systemd-homed the information about the user is maintained in the
> user directory/subvolume/partition, e.g. /home/username.homedir.
> After a reinstall, ideally nothing needs to be done and the user
> account is ready to be used.

I like the idea of being able to reinstall and keep the /home.
But I'd rather not use systemd-homed to get the feature.
I already have full-disk-encryption for security.

What about having the necessary meta data in a per user file in /home
and read that when doing the reinstall?

I would have /home/barry and /home/barry.metadata for example.

Barry

 
> 
> The primary purpose of systemd-homed is to use per-user encryption
> using loopback devices. This still has various problem related to
> resizing and suspend. Work is being done [see 3,4 for recent developments],
> but it's not at a point where we can recommend it.
> But systemd-homed has a mode where the user "home" is just a normal
> directory or btrfs subvolume with some metadata stored in files [5].
> Some work would be needed [6] to make this work smoothly, but it
> doesn't seem like too much. (Mostly filing down some rough edges
> in systemd-homed and adding pam_home_systemd and nss_systemd
> in various authselect profiles.)
> 
> Thus the question: would this be something worth looking into?
> 
> [1] 
> https://discussion.fedoraproject.org/t/feedback-anaconda-web-ui-partitioning/108995/65
> [2] 
> https://discussion.fedoraproject.org/t/its-difficult-to-reformat-a-btrfs-partition-subvolume-in-the-installer/89052
> [3] https://cfp.all-systems-go.io/all-systems-go-2024/talk/FFY3BB/
> [4] https://www.youtube.com/watch?v=3e3IhBBU0JY
> [5] https://systemd.io/HOME_DIRECTORY/
> [6] When I tested this today, this actually doesn't work.
>systemd-homed does a misguided check that break reinstalls.
>We'd need to figure out some solution here. Most likely just
>conditionalize that part of the code.
> 
> Zbyszek
> -- 
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue

-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Stephen Gallagher
On Tue, Oct 8, 2024 at 12:35 PM Lennart Poettering  wrote:
>
> On Di, 08.10.24 12:23, Stephen Gallagher (sgall...@redhat.com) wrote:
>
> > On Tue, Oct 8, 2024 at 12:19 PM Lennart Poettering  
> > wrote:
> > >
> > > On Di, 08.10.24 18:07, Fedora Development ML 
> > > (devel@lists.fedoraproject.org) wrote:
> > >
> > > > Am 08.10.24 um 17:32 schrieb Lennart Poettering:
> > > > > For example, I am fundamentally opposed to the model
> > > > > these systems generally pursue of turning UID numbers into centrally,
> > > > > organization-wide managed concepts.
> > > > Wait a second, some organization have more than 70k people (and in this
> > > > day and age, they all require their own accounts) and UIDs are (on
> > > > Linux) 16bit numbers (which means a max of 65536 possible values).
> > >
> > > uid_t is 32bit.
> > >
> > > See https://systemd.io/UIDS-GIDS for our (i.e. systemd's) take on UID
> > > ranges and how much is actually available from the 32bit for what.
> > >
> > > (Note that this document does not take IPA world into account, which
> > > doesn't really subscribe to the idea that projects should allocate
> > > from specific UID subranges only, and wants to own the whole range
> > > instead. Sad.)
> >
> > I'm not sure where you got that from...
> >
> > "By default, an IdM ID range is automatically assigned during the IdM
> > server installation. The ipa-server-install command randomly selects
> > and assigns a range of 200,000 IDs from a total of 10,000 possible
> > ranges. Selecting a random range in this way significantly reduces the
> > probability of conflicting IDs in case you decide to merge two
> > separate IdM domains in the future."
> >
> > You can select this range explicitly when setting up the domain and
> > you can add more 200k ranges later (though the first one you create is
> > immutable).
> >
> > [1] 
> > https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/adjusting-id-ranges-manually_configuring-and-managing-idm#automatic-id-ranges-assignment_adjusting-id-ranges-manually
>
> Comments like this from @abbra:
>
> https://github.com/systemd/systemd/pull/30846#issuecomment-1884526052
>
> Apparently the ranges are always configurable in IPA, and which ranges
> are used is stored in LDAP. This makes the logic systematically
> incompatible with various low-level uses where we need to classify
> UIDs in a very basic way, but cannot possibly consult any external
> database, IPC, or even network stuff.
>
> It would all be very easy if IPA would just stick to one range of
> UIDs, and allocate from that, but apparently IPA really wants this to
> be entirely configurable as I understand.
>

I suspect you're talking past one another here; in practice, IPA has a
random set of ID ranges that (IIRC) essentially owns the ID space of
10,000 - 2,010,000. (It's possible for the installer to set an
arbitrary range outside that, but it's a custom choice). So you could
probably reserve the IDs above 20,010,000 for homed in that situation.

-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Chris Adams
Once upon a time, Lennart Poettering  said:
> I am pretty sure all files inside of a home dir should carry the same
> selinux label, identifying it as a user's file.

That's incorrect, as there are a variety of restricted things, starting
as basic as SSH keys and authorized hosts.

-- 
Chris Adams 
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Simon Farnsworth via devel
On Tuesday 8 October 2024 17:07:53 BST Kilian Hanich via devel wrote:
> Am 08.10.24 um 17:32 schrieb Lennart Poettering:
> 
> > For example, I am fundamentally opposed to the model
> > these systems generally pursue of turning UID numbers into centrally,
> > organization-wide managed concepts.
> 
> Wait a second, some organization have more than 70k people (and in this
> day and age, they all require their own accounts) and UIDs are (on
> Linux) 16bit numbers (which means a max of 65536 possible values).
> 
> Does somebody know or have an idea of how they make that work?
> 
I worked at a place with more than 70k user accounts; we used 32 bit UIDs on 
Linux for this purpose.

Linux UIDs are 32 bit since 2.4 days, not 16 bit.

-- 
Simon Farnsworth


-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Chris Adams
Once upon a time, Lennart Poettering  said:
> Oh, that hasn't been the case for a long time anymore. Nowadays files
> on disk are owned by the "nobody" user always, and idmapped mounts are
> used to map them transiently to the UID/GID assigned to the user on
> the local machine.

How do rootless containers work (with subuid/subgid) in that setup?

-- 
Chris Adams 
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Lennart Poettering
On Di, 08.10.24 12:23, Stephen Gallagher (sgall...@redhat.com) wrote:

> On Tue, Oct 8, 2024 at 12:19 PM Lennart Poettering  
> wrote:
> >
> > On Di, 08.10.24 18:07, Fedora Development ML 
> > (devel@lists.fedoraproject.org) wrote:
> >
> > > Am 08.10.24 um 17:32 schrieb Lennart Poettering:
> > > > For example, I am fundamentally opposed to the model
> > > > these systems generally pursue of turning UID numbers into centrally,
> > > > organization-wide managed concepts.
> > > Wait a second, some organization have more than 70k people (and in this
> > > day and age, they all require their own accounts) and UIDs are (on
> > > Linux) 16bit numbers (which means a max of 65536 possible values).
> >
> > uid_t is 32bit.
> >
> > See https://systemd.io/UIDS-GIDS for our (i.e. systemd's) take on UID
> > ranges and how much is actually available from the 32bit for what.
> >
> > (Note that this document does not take IPA world into account, which
> > doesn't really subscribe to the idea that projects should allocate
> > from specific UID subranges only, and wants to own the whole range
> > instead. Sad.)
>
> I'm not sure where you got that from...
>
> "By default, an IdM ID range is automatically assigned during the IdM
> server installation. The ipa-server-install command randomly selects
> and assigns a range of 200,000 IDs from a total of 10,000 possible
> ranges. Selecting a random range in this way significantly reduces the
> probability of conflicting IDs in case you decide to merge two
> separate IdM domains in the future."
>
> You can select this range explicitly when setting up the domain and
> you can add more 200k ranges later (though the first one you create is
> immutable).
>
> [1] 
> https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/adjusting-id-ranges-manually_configuring-and-managing-idm#automatic-id-ranges-assignment_adjusting-id-ranges-manually

Comments like this from @abbra:

https://github.com/systemd/systemd/pull/30846#issuecomment-1884526052

Apparently the ranges are always configurable in IPA, and which ranges
are used is stored in LDAP. This makes the logic systematically
incompatible with various low-level uses where we need to classify
UIDs in a very basic way, but cannot possibly consult any external
database, IPC, or even network stuff.

It would all be very easy if IPA would just stick to one range of
UIDs, and allocate from that, but apparently IPA really wants this to
be entirely configurable as I understand.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Lennart Poettering
On Di, 08.10.24 09:24, Neal Gompa (ngomp...@gmail.com) wrote:

> On Tue, Oct 8, 2024 at 9:22 AM Michael Catanzaro  
> wrote:
> >
> > On Mon, Oct 7 2024 at 12:59:46 PM -04:00:00, Simo Sorce
> >  wrote:
> > > Changing a default like this is not something to do lightly IMHO.
> >
> > I'm interested in systemd-homed because we currently have no other
> > plausible path towards encryption of user data by default [1] (since
> > use of LUKS full-disk encryption has been rejected).
> >
> > [1] https://pagure.io/fedora-workstation/issue/82
>
> And that's the context in which we wanted homed working with
> centralized logins. It continues to confuse me that people conflate
> "centralized login provider" with "remote users", which are not the
> same thing at all. Local users that have primary
> authentication/authorization externally managed has been a pattern for
> quite a long time on other platforms.

So one thing I am kinda interested in is adding support for
synthesizing local homed users from oidc/oauth2 accounts, in the long
run, to get something like a Chromebook-like behaviour, that you can
basically say "allow logins from any @google.com" account or similar,
and we'd generate a home dir from that automatically, as you log
in. But quite frankly, we have more pressing issues in systemd-homed
land right now. It's a bigger project, would require support in
various layers, i.e. gdm would probably need to support some form of
web browser and so on.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Stephen Gallagher
On Tue, Oct 8, 2024 at 12:19 PM Lennart Poettering  wrote:
>
> On Di, 08.10.24 18:07, Fedora Development ML (devel@lists.fedoraproject.org) 
> wrote:
>
> > Am 08.10.24 um 17:32 schrieb Lennart Poettering:
> > > For example, I am fundamentally opposed to the model
> > > these systems generally pursue of turning UID numbers into centrally,
> > > organization-wide managed concepts.
> > Wait a second, some organization have more than 70k people (and in this
> > day and age, they all require their own accounts) and UIDs are (on
> > Linux) 16bit numbers (which means a max of 65536 possible values).
>
> uid_t is 32bit.
>
> See https://systemd.io/UIDS-GIDS for our (i.e. systemd's) take on UID
> ranges and how much is actually available from the 32bit for what.
>
> (Note that this document does not take IPA world into account, which
> doesn't really subscribe to the idea that projects should allocate
> from specific UID subranges only, and wants to own the whole range
> instead. Sad.)

I'm not sure where you got that from...

"By default, an IdM ID range is automatically assigned during the IdM
server installation. The ipa-server-install command randomly selects
and assigns a range of 200,000 IDs from a total of 10,000 possible
ranges. Selecting a random range in this way significantly reduces the
probability of conflicting IDs in case you decide to merge two
separate IdM domains in the future."

You can select this range explicitly when setting up the domain and
you can add more 200k ranges later (though the first one you create is
immutable).

[1] 
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/adjusting-id-ranges-manually_configuring-and-managing-idm#automatic-id-ranges-assignment_adjusting-id-ranges-manually

-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Lennart Poettering
On Di, 08.10.24 18:07, Fedora Development ML (devel@lists.fedoraproject.org) 
wrote:

> Am 08.10.24 um 17:32 schrieb Lennart Poettering:
> > For example, I am fundamentally opposed to the model
> > these systems generally pursue of turning UID numbers into centrally,
> > organization-wide managed concepts.
> Wait a second, some organization have more than 70k people (and in this
> day and age, they all require their own accounts) and UIDs are (on
> Linux) 16bit numbers (which means a max of 65536 possible values).

uid_t is 32bit.

See https://systemd.io/UIDS-GIDS for our (i.e. systemd's) take on UID
ranges and how much is actually available from the 32bit for what.

(Note that this document does not take IPA world into account, which
doesn't really subscribe to the idea that projects should allocate
from specific UID subranges only, and wants to own the whole range
instead. Sad.)

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Lennart Poettering
On Mo, 07.10.24 14:15, Alexander Bokovoy (aboko...@redhat.com) wrote:

> > > https://github.com/fedora-selinux/selinux-policy/pull/939#issuecomment-1409217811
> > > No follow up happened on that, sadly.
> > >
> > > I do not see any work done on that yet. Without having SELinux support
> > > properly integrated, I think enabling systemd-homed by default is
> > > premature.
> > >
> > Actually selinux-policy has support for systemd-homed in F41 and F42 since
> > Sep 24th.
>
> Thanks, though this is about the first part (selinux-policy allowing
> systemd-homed to access its own default home directory), while the
> github comment talks about drives that systemd-homed creates for user
> homes. That part needs to be addressed in systemd-homed, if I understand
> correctly, pretty much like we address labeling of auto-created home
> directories in oddjob.

I am pretty sure all files inside of a home dir should carry the same
selinux label, identifying it as a user's file. Because everything
else makes home directories unportable, because local system policy
will leak into the homedirs. Moreover SELinux policy even if it wanted
couldn#t really express fine-grained app policy, since it's a
centralized thing, and we live in a world where apps are built and
distributed outside fedora, with flatpak and stuff. The assumption
that every app comes via fedora, and hence can come with selinux
database/policy also shipped by fedora to match it is just unrealistic
in today's world.

There's an upstream issue about all this:

https://github.com/systemd/systemd/issues/30580

It's kinda stuck, because the overlap of folks deeply interested in
homed and deeply interested in selinux is kinda small to non-existing.

Anyway, if all people want is to stick another "relabel" this call
after we create a new homedir, i am fine with that, but this would be
not be a full fix in my eyes.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Kilian Hanich via devel

Am 08.10.24 um 17:32 schrieb Lennart Poettering:

For example, I am fundamentally opposed to the model
these systems generally pursue of turning UID numbers into centrally,
organization-wide managed concepts.

Wait a second, some organization have more than 70k people (and in this
day and age, they all require their own accounts) and UIDs are (on
Linux) 16bit numbers (which means a max of 65536 possible values).

Does somebody know or have an idea of how they make that work?


Regards

Kilian Hanich
--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Lennart Poettering
On Mo, 07.10.24 20:55, Chris Murphy (li...@colorremedies.com) wrote:

> > What happens if there are conflicts of uid or gid ?
>
> uid/gid are recursively changed at mount time to avoid
> conflicts. For large homes, this could result in a lot of metadata
> writes.

Oh, that hasn't been the case for a long time anymore. Nowadays files
on disk are owned by the "nobody" user always, and idmapped mounts are
used to map them transiently to the UID/GID assigned to the user on
the local machine.

Or in other words, it's basically free, now.

> And at least on my setup with many read-only snapshots in
> ~/, permissions changes wouldn't be permitted, even by the root
> user.

Not sure I grok what you are trying to say here?

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Lennart Poettering
On Mo, 07.10.24 12:59, Simo Sorce (s...@redhat.com) wrote:

> > The homed approach would make other things possible too. For example,
> > sharing of /home in dual-boot scenarios. Right now a manual setup
> > needs to be done, and login details need to be propagated each time,
> > but with homed, dual-boot and reinstall are very similar scenarios,
> > so if we get one to work, we get the other one for free.
> >
> > Zbyszek
>
> The homed approach can work only in cases where you basically have only
> one user and all the OSs use the same approach.

Hmm, what? No, homed works fine with multiple users. I have multiple
users right now on my local system.

> I see a few issues with security that needs to be addressed.

Like what? Please be explicit, otherwise smells like FUD.

I am pretty sure the security model is a lot cleaner than anything the
sssd/IPA world would do, because we lock disk encryption to user
provided credentials, FIDO2/PKCS#11 and such, and can suspend the home
dir's encryption key on suspend. It should be a massive step up in
security.

Hence I am very curious where you think the security issues are?

> What happens if I plug a disk into a laptop that sports a "homed"
> directory, will the laptop suddenly allow a stranger to just login into
> the machine?

No. systemd-homed user records are signed. User records not signed by
a recognized key are not accepted.

I am not sure if sssd/IPA stuff has something similar? is there any
cryptographic integration protection part of its user database?

> What happens if there are conflicts of uid or gid ?

In the systemd-homed world uid/gid are assigned when the home dir is
first activated on a host. A free UID/GID is allocated then, and
idmapping is used to ensure that the home dir appears owned by the
right user (or in other words: on disk all files are owned by
user/group "nobody", only the idmapping makes them appear owned by the
user locally). This UID/GID binding is persisted on the local system,
but can differ between systems.

> Will it now allow this other user to access files and directories that
> should be reserved to other users?

No. At moment the binding of the home dir to the local host is
established a free UID/GID is taken from a very specific range. This
should make collisions unlikely. (though not impossible, because this
system of course relies on everyone being equally careful before
taking possession of a UID/GID, and as I understand the IPA world is
systematically opposed to that, which is sad, but nothing I can
change).

> What happen if you want to change the user to be a corporate directory
> provided one?

Enterprisey IPA/SSSD/AD/LDAP style stuff really is not in focus for
systemd-homed, as mentioned many times.

> Can you configure autologin for those uses cases (like kiosks or a home
> entertainment system) where that makes sense to do ?

No you cannot, the security model relies on unlock keys to be provided
before the home directory is accessible. It's a strength of the model,
not a weakness, that user data is actually protected by the provided
user authentication credentials.

As I understand the IPA/sssd model is a lot more traditional there,
and does not consider the user's data as something to protect? I'd
call that highly problematic, but I guess it's from a different time.

Note that systemd-homed is *one* provider of user accounts, but it's
not to be the only one. The way I see it there are always multiple in
play:

1. static system users configured via /etc/passwd, /etc/shadow & co.
2. dynamic system users allocated via systemd's DynamicUser=1
3. systemd-homed ones for high-security, local users
4. traditional unix users configured via /etc/passwd, /etc/shadow & co.
5. sssd provided ones for networked enterprise accounts

Of course, item 1 and 4 are the same pretty much, just differ in UID
range.

In your kiosk usecase always opt for option 4 I think.

> Is this tied to a specific file system type?

homed has various backends. If you use the LUKS backend you really
want to use btrfs, because it allows both online grow & shrink. Other
file systems are a lot more limited, but also supported for the LUKS
backend. But there's also a plain directory backend where we make
almost any restrictions (at weaker security of course). And there's an
fscrypt backend (which only requires an fs that supports fscrypt), at
mid-level security (because fscrypt protectes file contents, not
metadata, unlike the LUKS/dm-crypt backend which protects everything.)

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, re

Re: strawman proposal: homed directories for users

2024-10-08 Thread Lennart Poettering
On Sa, 05.10.24 10:53, Alexander Bokovoy (aboko...@redhat.com) wrote:

> > The homed approach would make other things possible too. For example,
> > sharing of /home in dual-boot scenarios. Right now a manual setup
> > needs to be done, and login details need to be propagated each time,
> > but with homed, dual-boot and reinstall are very similar scenarios,
> > so if we get one to work, we get the other one for free.
>
> Can we move systemd-homed configuration and activation into something
> that could be explicitly enabled by the administrators? Whether this is
> done during installation or post, it still would need to be a concious
> step made by admins.

It's activated on-demand only. It should not take much resources hence.

> Right now systemd-homed is activated on each system without ask for it,
> even on systems that do not benefit from its use (see parallel
> discussion by Neal). I also see it as a sole contributor to SELinux AVCs
> in OpenQA tests we run for FreeIPA use cases.

That seems like a bug in the SELinux policy really.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Lennart Poettering
On Mo, 07.10.24 20:42, Chris Murphy (li...@colorremedies.com) wrote:

> > You should be able to combine the three sources of users freely
> > without problems – if you like. But these three sources of user
> > definitions should be on similar footing, and not try to abstract each
> > other.
> >
> > Hence: if you have some user in ldap/ipa, and another in homed, that's
> > entirely fine, they should not affect each other.
>
> Supporting local encrypted user data with centralized authentication
> methods is desired. Why implement this outside of systemd-homed
> rather than within it? The former seems like a duplicated effort.

Well, for starters, there's quite a philosophical gap between how I
personally (and homed being my design, this kinda is built into the
thing) think home dirs should be managed, and how the IPA/AD/SSSD
worlds do it. For example, I am fundamentally opposed to the model
these systems generally pursue of turning UID numbers into centrally,
organization-wide managed concepts. I am pretty sure they should
remain locally managed artifacts of a binding of a user record to the
local system. One of the reason homed exists is to break with the
concept of trying to manage UIDs organization-wise. And there's a lot
more, for example it's fundamental to homed that access to home dirs
is unavailable unless the user is logged in, and authentication keys
for the data itself are provided. That breaks with fundamental
assumptions baked into much UNIX software, which however is stuff the
classic centralized enterprise world really cares about.

So yes, from a distanced view you might think: both ipa and homed
manage home dirs, so why not make that one. But conceptually,
philosophically the two things are *so* different I really don't think
one should attempt to make them one thing.

Note that in systemd's infrastructure we have three components for
managing users/sessions:

1. systemd-logind  → manages logged in user sessions and related stuff
2. systemd-userdbd → manages JSON users/group records, going far beyond "struct 
passwd" and friends
3. systemd-homed   → manages encrypted local home dirs

These three things are separate on purpose. They integrate closely if
used together, i.e. systemd-homed provides user records to
systemd-userdbd, and systemd-logind reads them from systemd-userdbd,
so that homed can set various things such as security and resource
control settings that logind then enforces. But the interfaces between
the three are open and documented, hence if sssd wants it can very
well plug into systemd-userdbd the same way as systemd-homed does, and
then take benefit of systemd-logind resource logic too.

So far there's was literal interest in that though.

But yeah, would be great if sssd/ipa world would integrate with
systemd-logind/systemd-userdbd and all that stuff more tightly, but
that should be on equal footing with systemd-homed, and not inside of
systemd-homed or so.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Simo Sorce
On Tue, 2024-10-08 at 08:22 -0500, Michael Catanzaro wrote:
> On Mon, Oct 7 2024 at 12:59:46 PM -04:00:00, Simo Sorce 
>  wrote:
> > Changing a default like this is not something to do lightly IMHO.
> 
> I'm interested in systemd-homed because we currently have no other 
> plausible path towards encryption of user data by default [1] (since 
> use of LUKS full-disk encryption has been rejected).
> 
> [1] https://pagure.io/fedora-workstation/issue/82

It is a too long issue to understand all the details, but honestly for
a laptop it seem misguided to me not to use LUKS if you care about
protecting the whole data and do not fully understand what is the
problem of using it, then again I do not use btrfs and always set up
LUKS on my own by customizing installation, and as long as these
changes do not break customization I guess experimentation is
reasonable.

Simo.

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Neal Gompa
On Tue, Oct 8, 2024 at 9:22 AM Michael Catanzaro  wrote:
>
> On Mon, Oct 7 2024 at 12:59:46 PM -04:00:00, Simo Sorce
>  wrote:
> > Changing a default like this is not something to do lightly IMHO.
>
> I'm interested in systemd-homed because we currently have no other
> plausible path towards encryption of user data by default [1] (since
> use of LUKS full-disk encryption has been rejected).
>
> [1] https://pagure.io/fedora-workstation/issue/82
>

And that's the context in which we wanted homed working with
centralized logins. It continues to confuse me that people conflate
"centralized login provider" with "remote users", which are not the
same thing at all. Local users that have primary
authentication/authorization externally managed has been a pattern for
quite a long time on other platforms.


-- 
真実はいつも一つ!/ Always, there's only one truth!
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-08 Thread Michael Catanzaro
On Mon, Oct 7 2024 at 12:59:46 PM -04:00:00, Simo Sorce 
 wrote:

Changing a default like this is not something to do lightly IMHO.


I'm interested in systemd-homed because we currently have no other 
plausible path towards encryption of user data by default [1] (since 
use of LUKS full-disk encryption has been rejected).


[1] https://pagure.io/fedora-workstation/issue/82


--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Chris Murphy


On Mon, Oct 7, 2024, at 12:59 PM, Simo Sorce wrote:

> What happens if I plug a disk into a laptop that sports a "homed"
> directory, will the laptop suddenly allow a stranger to just login into
> the machine?

No, the account needs to be allowed by that machine's admin.

>
> What happens if there are conflicts of uid or gid ?

uid/gid are recursively changed at mount time to avoid conflicts. For large 
homes, this could result in a lot of metadata writes. And at least on my setup 
with many read-only snapshots in ~/, permissions changes wouldn't be permitted, 
even by the root user.

Some file systems have a uid= gid= mount option, but none of the ones we use 
for /home do. I wish this could be supported by VFS.


> Will it now allow this other user to access files and directories that
> should be reserved to other users?

No.


-- 
Chris Murphy
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Chris Murphy


On Mon, Oct 7, 2024, at 7:12 AM, Lennart Poettering wrote:
> On Fr, 04.10.24 11:20, Neal Gompa (ngomp...@gmail.com) wrote:
>
>> > The primary purpose of systemd-homed is to use per-user encryption
>> > using loopback devices. This still has various problem related to
>> > resizing and suspend. Work is being done [see 3,4 for recent developments],
>> > but it's not at a point where we can recommend it.
>> > But systemd-homed has a mode where the user "home" is just a normal
>> > directory or btrfs subvolume with some metadata stored in files [5].
>> > Some work would be needed [6] to make this work smoothly, but it
>> > doesn't seem like too much. (Mostly filing down some rough edges
>> > in systemd-homed and adding pam_home_systemd and nss_systemd
>> > in various authselect profiles.)
>> >
>> > Thus the question: would this be something worth looking into?
>>
>> When this was first explored a few years ago, the main problem that
>> came up was that homed is functionally incompatible with centralized
>> login systems (SSSD to FreeIPA/AD, OIDC, etc.). If this has changed,
>> then it would make sense to revisit.
>
> Well, you are comparing apples and oranges here. sssd/freeipa provides
> some users to the system, as does the traditional /etc/passwd system,
> and now homed some more.
>
> You should be able to combine the three sources of users freely
> without problems – if you like. But these three sources of user
> definitions should be on similar footing, and not try to abstract each
> other.
>
> Hence: if you have some user in ldap/ipa, and another in homed, that's
> entirely fine, they should not affect each other.

Supporting local encrypted user data with centralized authentication methods is 
desired. Why implement this outside of systemd-homed rather than within it? The 
former seems like a duplicated effort.

But OK, I don't know how the sd-homed key eviction feature at sleep time might 
work for centralized authentication.




-- 
Chris Murphy
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Simo Sorce
On Sat, 2024-10-05 at 07:36 +, Zbigniew Jędrzejewski-Szmek wrote:
> On Fri, Oct 04, 2024 at 12:17:14PM -0400, David Cantrell wrote:
> > The common use case for this is the Fedora laptop user which in nearly every
> > case is going to have one local user account.
> > 
> > I have always split /home from the rest of the system and I know others do
> > as well.  I would rather see anaconda modified so that if I am creating a
> > user account at install time, check for /home/USERNAME and if USERNAME
> > matches and the UID and GID matches, just don't create the home directory.
> > That is, -M on useradd(8).
> 
> Yeah, that's the other possible approach. But I think it's actually
> quite complicated to make this work reliably. Traditional UNIX accounts
> spread the information about the user over a bunch of files. Consistency
> must be maintained, UIDs and GIDs on disk must match, etc. We _could_
> add the smarts to cover all that in Anaconda, but Anaconda developers
> are trying to simplify it, not add new complicated code.
> 
> OTOH, homed was created with the idea of self-contained "homes" from
> the beginning, and systemd upstream is dedicating resources to make it
> work. (E.g., currently, a full-time developer working on integration
> of systemd-homed and GNOME on a grant from German STF.)
> So I think it's much more maintainable to just make use of this and
> let systemd upstream help with any bugs that we discover.
> 
> The homed approach would make other things possible too. For example,
> sharing of /home in dual-boot scenarios. Right now a manual setup
> needs to be done, and login details need to be propagated each time,
> but with homed, dual-boot and reinstall are very similar scenarios,
> so if we get one to work, we get the other one for free.
> 
> Zbyszek

The homed approach can work only in cases where you basically have only
one user and all the OSs use the same approach.

I see a few issues with security that needs to be addressed.

What happens if I plug a disk into a laptop that sports a "homed"
directory, will the laptop suddenly allow a stranger to just login into
the machine?

What happens if there are conflicts of uid or gid ?
Will it now allow this other user to access files and directories that
should be reserved to other users?

What happen if you want to change the user to be a corporate directory
provided one?

Can you configure autologin for those uses cases (like kiosks or a home
entertainment system) where that makes sense to do ?

Is this tied to a specific file system type?

Changing a default like this is not something to do lightly IMHO.

-- 
Simo Sorce
Distinguished Engineer
RHEL Crypto Team
Red Hat, Inc

-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Lennart Poettering
On Sa, 05.10.24 05:50, Neal Gompa (ngomp...@gmail.com) wrote:

> > > So from my point of view, homed *should not* be incompatible with this
> > > use-case, even though it currently is.
> >
> > I would just use normal users for that case. This functionality is
> > not going away and there would be no benefit from somehow shoehorning
> > remotely-defined users into systemd-homed.
>
> There is: automatic encryption of user data, and tying the user-data
> decryption to central login credentials.

I think you want homed to be something it really isn't. It's about
locally managed stuff, not about networked accounts. If you want
networked stuff, thta's fine, then use sssd, but this really doesn't
need to take place like this within the homed framework really.

> The whole reason we explored homed was for that, and there is very
> little benefit to doing any integration work for homed if we can't
> universally reap the benefits of it.

Well, that's a bit like saying we shouldn't adopt mysql because it is
a shit web browser, no? I mean, it's true, mysql *is* a shit web
browser, but it's not really what mysql is supposed to be, no?

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Lennart Poettering
On Fr, 04.10.24 13:20, Neal Gompa (ngomp...@gmail.com) wrote:

> On Fri, Oct 4, 2024 at 11:36 AM Zbigniew Jędrzejewski-Szmek
>  wrote:
> >
> > On Fri, Oct 04, 2024 at 11:20:48AM -0400, Neal Gompa wrote:
> > > When this was first explored a few years ago, the main problem that
> > > came up was that homed is functionally incompatible with centralized
> > > login systems (SSSD to FreeIPA/AD, OIDC, etc.). If this has changed,
> > > then it would make sense to revisit.
> >
> > homed is about self-contained definitions of users. So obviously
> > those users cannot be defined centrally… I think it's compatible in
> > the sense that both kinds of users can be used on the same machine.
> > Is there some more specific problem?
> >
>
> It's fairly normal these days that the users are self-contained and
> otherwise local, *except* for login credentials. This use-case is
> important to support because this is pretty much how business laptops
> need to work.
>
> In the long past, the dichotomy was clearer: you either had local
> users with local storage, or centrally managed users with remote
> storage. But nowadays it's always local storage, just with either
> local authentication or remote authentication. This also includes
> being able to cache remote authentication records (e.g. SSSD) for
> brief offline periods for logging in anyway.
>
> So from my point of view, homed *should not* be incompatible with this
> use-case, even though it currently is.

homed is something different than sssd stuff, it's just local user
management, with some nice properties. It is not in the business of
centralized, enterprise user management, and that's entirely fine.

glibc NSS defines a somewhat OK'ish abstraction over homed and sssd so
that most apps don#t really have to care where a user comes from, from
the network (i.e. sssd) or from a locally managed thing (i.e. homed).

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Alexander Bokovoy

On Пан, 07 кас 2024, Zdenek Pytela wrote:

On Mon, Oct 7, 2024 at 12:36 PM Alexander Bokovoy 
wrote:


On Няд, 06 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:
>On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:
>> Can we move systemd-homed configuration and activation into something
>> that could be explicitly enabled by the administrators? Whether this is
>> done during installation or post, it still would need to be a concious
>> step made by admins.
>
>It can be enabled and disabled. Nevertheless, having it enabled seems
>to e a good default. If there are no homed users defined, it should
>just hang in the background doing nothing. (Though maybe it could exit
>after being started. I'll try to look into this.)
>
>Any SELinux denials will have to be fixed anyway. So this is not an
>argument for disabling it.

Sure, it does need to be fixed. However, I think it is a signal that
systemd-homed is not really in use across Fedora community. The original
SELinux issue was opened in 2021, against Fedora 35:
https://bugzilla.redhat.com/show_bug.cgi?id=2036108

Since that time multiple people tried to get SELinux policy developed
and merged upstream and none happened until we re-raised its importance
from OpenQA failures for FreeIPA. So SELinux policy changes would come
but this is not enough.

A question was raised in 2023 by mattdm about systemd-homed support of
SELinux on newly created homes as somebody commented that systemd-homed
does not support proper labeling of the homes:

https://github.com/fedora-selinux/selinux-policy/pull/939#issuecomment-1409217811
No follow up happened on that, sadly.

I do not see any work done on that yet. Without having SELinux support
properly integrated, I think enabling systemd-homed by default is
premature.


Actually selinux-policy has support for systemd-homed in F41 and F42 since
Sep 24th.


Thanks, though this is about the first part (selinux-policy allowing
systemd-homed to access its own default home directory), while the
github comment talks about drives that systemd-homed creates for user
homes. That part needs to be addressed in systemd-homed, if I understand
correctly, pretty much like we address labeling of auto-created home
directories in oddjob.


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Lennart Poettering
On Fr, 04.10.24 11:20, Neal Gompa (ngomp...@gmail.com) wrote:

> > The primary purpose of systemd-homed is to use per-user encryption
> > using loopback devices. This still has various problem related to
> > resizing and suspend. Work is being done [see 3,4 for recent developments],
> > but it's not at a point where we can recommend it.
> > But systemd-homed has a mode where the user "home" is just a normal
> > directory or btrfs subvolume with some metadata stored in files [5].
> > Some work would be needed [6] to make this work smoothly, but it
> > doesn't seem like too much. (Mostly filing down some rough edges
> > in systemd-homed and adding pam_home_systemd and nss_systemd
> > in various authselect profiles.)
> >
> > Thus the question: would this be something worth looking into?
>
> When this was first explored a few years ago, the main problem that
> came up was that homed is functionally incompatible with centralized
> login systems (SSSD to FreeIPA/AD, OIDC, etc.). If this has changed,
> then it would make sense to revisit.

Well, you are comparing apples and oranges here. sssd/freeipa provides
some users to the system, as does the traditional /etc/passwd system,
and now homed some more.

You should be able to combine the three sources of users freely
without problems – if you like. But these three sources of user
definitions should be on similar footing, and not try to abstract each
other.

Hence: if you have some user in ldap/ipa, and another in homed, that's
entirely fine, they should not affect each other.

Lennart

--
Lennart Poettering, Berlin
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Zdenek Pytela
On Mon, Oct 7, 2024 at 12:36 PM Alexander Bokovoy 
wrote:

> On Няд, 06 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:
> >On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:
> >> Can we move systemd-homed configuration and activation into something
> >> that could be explicitly enabled by the administrators? Whether this is
> >> done during installation or post, it still would need to be a concious
> >> step made by admins.
> >
> >It can be enabled and disabled. Nevertheless, having it enabled seems
> >to e a good default. If there are no homed users defined, it should
> >just hang in the background doing nothing. (Though maybe it could exit
> >after being started. I'll try to look into this.)
> >
> >Any SELinux denials will have to be fixed anyway. So this is not an
> >argument for disabling it.
>
> Sure, it does need to be fixed. However, I think it is a signal that
> systemd-homed is not really in use across Fedora community. The original
> SELinux issue was opened in 2021, against Fedora 35:
> https://bugzilla.redhat.com/show_bug.cgi?id=2036108
>
> Since that time multiple people tried to get SELinux policy developed
> and merged upstream and none happened until we re-raised its importance
> from OpenQA failures for FreeIPA. So SELinux policy changes would come
> but this is not enough.
>
> A question was raised in 2023 by mattdm about systemd-homed support of
> SELinux on newly created homes as somebody commented that systemd-homed
> does not support proper labeling of the homes:
>
> https://github.com/fedora-selinux/selinux-policy/pull/939#issuecomment-1409217811
> No follow up happened on that, sadly.
>
> I do not see any work done on that yet. Without having SELinux support
> properly integrated, I think enabling systemd-homed by default is
> premature.
>
Actually selinux-policy has support for systemd-homed in F41 and F42 since
Sep 24th.



>
> Could you please make sure this is addressed by systemd-homed through
> upstream?
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
> --
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>


-- 

Zdenek Pytela
Security SELinux team
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-07 Thread Alexander Bokovoy

On Няд, 06 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:

On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:

Can we move systemd-homed configuration and activation into something
that could be explicitly enabled by the administrators? Whether this is
done during installation or post, it still would need to be a concious
step made by admins.


It can be enabled and disabled. Nevertheless, having it enabled seems
to e a good default. If there are no homed users defined, it should
just hang in the background doing nothing. (Though maybe it could exit
after being started. I'll try to look into this.)

Any SELinux denials will have to be fixed anyway. So this is not an
argument for disabling it.


Sure, it does need to be fixed. However, I think it is a signal that
systemd-homed is not really in use across Fedora community. The original
SELinux issue was opened in 2021, against Fedora 35:
https://bugzilla.redhat.com/show_bug.cgi?id=2036108

Since that time multiple people tried to get SELinux policy developed
and merged upstream and none happened until we re-raised its importance
from OpenQA failures for FreeIPA. So SELinux policy changes would come
but this is not enough.

A question was raised in 2023 by mattdm about systemd-homed support of
SELinux on newly created homes as somebody commented that systemd-homed
does not support proper labeling of the homes:
https://github.com/fedora-selinux/selinux-policy/pull/939#issuecomment-1409217811
No follow up happened on that, sadly.

I do not see any work done on that yet. Without having SELinux support
properly integrated, I think enabling systemd-homed by default is
premature.

Could you please make sure this is addressed by systemd-homed through
upstream?


--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-06 Thread Zbigniew Jędrzejewski-Szmek
On Sat, Oct 05, 2024 at 10:53:16AM +0300, Alexander Bokovoy wrote:
> Can we move systemd-homed configuration and activation into something
> that could be explicitly enabled by the administrators? Whether this is
> done during installation or post, it still would need to be a concious
> step made by admins.

It can be enabled and disabled. Nevertheless, having it enabled seems
to e a good default. If there are no homed users defined, it should
just hang in the background doing nothing. (Though maybe it could exit
after being started. I'll try to look into this.)

Any SELinux denials will have to be fixed anyway. So this is not an
argument for disabling it.

Zbyszek

> Right now systemd-homed is activated on each system without ask for it,
> even on systems that do not benefit from its use (see parallel
> discussion by Neal). I also see it as a sole contributor to SELinux AVCs
> in OpenQA tests we run for FreeIPA use cases.
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-05 Thread Neal Gompa
On Sat, Oct 5, 2024 at 3:45 AM Zbigniew Jędrzejewski-Szmek
 wrote:
>
> On Fri, Oct 04, 2024 at 01:20:40PM -0400, Neal Gompa wrote:
> > It's fairly normal these days that the users are self-contained and
> > otherwise local, *except* for login credentials. This use-case is
> > important to support because this is pretty much how business laptops
> > need to work.
> >
> > In the long past, the dichotomy was clearer: you either had local
> > users with local storage, or centrally managed users with remote
> > storage. But nowadays it's always local storage, just with either
> > local authentication or remote authentication. This also includes
> > being able to cache remote authentication records (e.g. SSSD) for
> > brief offline periods for logging in anyway.
> >
> > So from my point of view, homed *should not* be incompatible with this
> > use-case, even though it currently is.
>
> I would just use normal users for that case. This functionality is
> not going away and there would be no benefit from somehow shoehorning
> remotely-defined users into systemd-homed.
>

There is: automatic encryption of user data, and tying the user-data
decryption to central login credentials.

The whole reason we explored homed was for that, and there is very
little benefit to doing any integration work for homed if we can't
universally reap the benefits of it.



-- 
真実はいつも一つ!/ Always, there's only one truth!
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-05 Thread Alexander Bokovoy

On Суб, 05 кас 2024, Zbigniew Jędrzejewski-Szmek wrote:

On Fri, Oct 04, 2024 at 12:17:14PM -0400, David Cantrell wrote:

The common use case for this is the Fedora laptop user which in nearly every
case is going to have one local user account.

I have always split /home from the rest of the system and I know others do
as well.  I would rather see anaconda modified so that if I am creating a
user account at install time, check for /home/USERNAME and if USERNAME
matches and the UID and GID matches, just don't create the home directory.
That is, -M on useradd(8).


Yeah, that's the other possible approach. But I think it's actually
quite complicated to make this work reliably. Traditional UNIX accounts
spread the information about the user over a bunch of files. Consistency
must be maintained, UIDs and GIDs on disk must match, etc. We _could_
add the smarts to cover all that in Anaconda, but Anaconda developers
are trying to simplify it, not add new complicated code.

OTOH, homed was created with the idea of self-contained "homes" from
the beginning, and systemd upstream is dedicating resources to make it
work. (E.g., currently, a full-time developer working on integration
of systemd-homed and GNOME on a grant from German STF.)
So I think it's much more maintainable to just make use of this and
let systemd upstream help with any bugs that we discover.

The homed approach would make other things possible too. For example,
sharing of /home in dual-boot scenarios. Right now a manual setup
needs to be done, and login details need to be propagated each time,
but with homed, dual-boot and reinstall are very similar scenarios,
so if we get one to work, we get the other one for free.


Can we move systemd-homed configuration and activation into something
that could be explicitly enabled by the administrators? Whether this is
done during installation or post, it still would need to be a concious
step made by admins.

Right now systemd-homed is activated on each system without ask for it,
even on systems that do not benefit from its use (see parallel
discussion by Neal). I also see it as a sole contributor to SELinux AVCs
in OpenQA tests we run for FreeIPA use cases.

It would be best to have it explicitly enabled by admins, similarly how
authselect handles various authentication methods.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-05 Thread Zbigniew Jędrzejewski-Szmek
On Fri, Oct 04, 2024 at 01:20:40PM -0400, Neal Gompa wrote:
> It's fairly normal these days that the users are self-contained and
> otherwise local, *except* for login credentials. This use-case is
> important to support because this is pretty much how business laptops
> need to work.
> 
> In the long past, the dichotomy was clearer: you either had local
> users with local storage, or centrally managed users with remote
> storage. But nowadays it's always local storage, just with either
> local authentication or remote authentication. This also includes
> being able to cache remote authentication records (e.g. SSSD) for
> brief offline periods for logging in anyway.
> 
> So from my point of view, homed *should not* be incompatible with this
> use-case, even though it currently is.

I would just use normal users for that case. This functionality is
not going away and there would be no benefit from somehow shoehorning
remotely-defined users into systemd-homed.

Zbyszek
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-05 Thread Zbigniew Jędrzejewski-Szmek
On Fri, Oct 04, 2024 at 12:17:14PM -0400, David Cantrell wrote:
> The common use case for this is the Fedora laptop user which in nearly every
> case is going to have one local user account.
> 
> I have always split /home from the rest of the system and I know others do
> as well.  I would rather see anaconda modified so that if I am creating a
> user account at install time, check for /home/USERNAME and if USERNAME
> matches and the UID and GID matches, just don't create the home directory.
> That is, -M on useradd(8).

Yeah, that's the other possible approach. But I think it's actually
quite complicated to make this work reliably. Traditional UNIX accounts
spread the information about the user over a bunch of files. Consistency
must be maintained, UIDs and GIDs on disk must match, etc. We _could_
add the smarts to cover all that in Anaconda, but Anaconda developers
are trying to simplify it, not add new complicated code.

OTOH, homed was created with the idea of self-contained "homes" from
the beginning, and systemd upstream is dedicating resources to make it
work. (E.g., currently, a full-time developer working on integration
of systemd-homed and GNOME on a grant from German STF.)
So I think it's much more maintainable to just make use of this and
let systemd upstream help with any bugs that we discover.

The homed approach would make other things possible too. For example,
sharing of /home in dual-boot scenarios. Right now a manual setup
needs to be done, and login details need to be propagated each time,
but with homed, dual-boot and reinstall are very similar scenarios,
so if we get one to work, we get the other one for free.

Zbyszek
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-04 Thread Neal Gompa
On Fri, Oct 4, 2024 at 11:36 AM Zbigniew Jędrzejewski-Szmek
 wrote:
>
> On Fri, Oct 04, 2024 at 11:20:48AM -0400, Neal Gompa wrote:
> > When this was first explored a few years ago, the main problem that
> > came up was that homed is functionally incompatible with centralized
> > login systems (SSSD to FreeIPA/AD, OIDC, etc.). If this has changed,
> > then it would make sense to revisit.
>
> homed is about self-contained definitions of users. So obviously
> those users cannot be defined centrally… I think it's compatible in
> the sense that both kinds of users can be used on the same machine.
> Is there some more specific problem?
>

It's fairly normal these days that the users are self-contained and
otherwise local, *except* for login credentials. This use-case is
important to support because this is pretty much how business laptops
need to work.

In the long past, the dichotomy was clearer: you either had local
users with local storage, or centrally managed users with remote
storage. But nowadays it's always local storage, just with either
local authentication or remote authentication. This also includes
being able to cache remote authentication records (e.g. SSSD) for
brief offline periods for logging in anyway.

So from my point of view, homed *should not* be incompatible with this
use-case, even though it currently is.




--
真実はいつも一つ!/ Always, there's only one truth!
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-04 Thread David Cantrell

On 10/4/24 11:05, Zbigniew Jędrzejewski-Szmek wrote:

Hi folks,

I was recently doing a bunch of test reinstalls of Fedora [1],
looking to see if it's complicated to retain the user directories
during a reinstall. The answer is, sadly, that it's possible only with
some manual tinkering. This is a known problem [2].

With a little bit of trickery, Anaconda will let the "home" subvolume
be and install the system to a new "root" subvolume, so user data is
preserved. But then after a reboot a new user will be created, because
the old user is not hooked up into /etc/passwd.

We actually have a partial solution for this: systemd-homed.
With systemd-homed the information about the user is maintained in the
user directory/subvolume/partition, e.g. /home/username.homedir.
After a reinstall, ideally nothing needs to be done and the user
account is ready to be used.

The primary purpose of systemd-homed is to use per-user encryption
using loopback devices. This still has various problem related to
resizing and suspend. Work is being done [see 3,4 for recent developments],
but it's not at a point where we can recommend it.
But systemd-homed has a mode where the user "home" is just a normal
directory or btrfs subvolume with some metadata stored in files [5].
Some work would be needed [6] to make this work smoothly, but it
doesn't seem like too much. (Mostly filing down some rough edges
in systemd-homed and adding pam_home_systemd and nss_systemd
in various authselect profiles.)

Thus the question: would this be something worth looking into?

[1] 
https://discussion.fedoraproject.org/t/feedback-anaconda-web-ui-partitioning/108995/65
[2] 
https://discussion.fedoraproject.org/t/its-difficult-to-reformat-a-btrfs-partition-subvolume-in-the-installer/89052
[3] https://cfp.all-systems-go.io/all-systems-go-2024/talk/FFY3BB/
[4] https://www.youtube.com/watch?v=3e3IhBBU0JY
[5] https://systemd.io/HOME_DIRECTORY/
[6] When I tested this today, this actually doesn't work.
 systemd-homed does a misguided check that break reinstalls.
 We'd need to figure out some solution here. Most likely just
 conditionalize that part of the code.

Zbyszek


The common use case for this is the Fedora laptop user which in nearly 
every case is going to have one local user account.


I have always split /home from the rest of the system and I know others 
do as well.  I would rather see anaconda modified so that if I am 
creating a user account at install time, check for /home/USERNAME and if 
USERNAME matches and the UID and GID matches, just don't create the home 
directory.  That is, -M on useradd(8).


--
David Cantrell 
Red Hat, Inc. | Boston, MA | EST5EDT

--
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-04 Thread Zbigniew Jędrzejewski-Szmek
On Fri, Oct 04, 2024 at 11:20:48AM -0400, Neal Gompa wrote:
> When this was first explored a few years ago, the main problem that
> came up was that homed is functionally incompatible with centralized
> login systems (SSSD to FreeIPA/AD, OIDC, etc.). If this has changed,
> then it would make sense to revisit.

homed is about self-contained definitions of users. So obviously
those users cannot be defined centrally… I think it's compatible in
the sense that both kinds of users can be used on the same machine.
Is there some more specific problem?

Zbyszek
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue


Re: strawman proposal: homed directories for users

2024-10-04 Thread Neal Gompa
On Fri, Oct 4, 2024 at 11:05 AM Zbigniew Jędrzejewski-Szmek
 wrote:
>
> Hi folks,
>
> I was recently doing a bunch of test reinstalls of Fedora [1],
> looking to see if it's complicated to retain the user directories
> during a reinstall. The answer is, sadly, that it's possible only with
> some manual tinkering. This is a known problem [2].
>
> With a little bit of trickery, Anaconda will let the "home" subvolume
> be and install the system to a new "root" subvolume, so user data is
> preserved. But then after a reboot a new user will be created, because
> the old user is not hooked up into /etc/passwd.
>
> We actually have a partial solution for this: systemd-homed.
> With systemd-homed the information about the user is maintained in the
> user directory/subvolume/partition, e.g. /home/username.homedir.
> After a reinstall, ideally nothing needs to be done and the user
> account is ready to be used.
>
> The primary purpose of systemd-homed is to use per-user encryption
> using loopback devices. This still has various problem related to
> resizing and suspend. Work is being done [see 3,4 for recent developments],
> but it's not at a point where we can recommend it.
> But systemd-homed has a mode where the user "home" is just a normal
> directory or btrfs subvolume with some metadata stored in files [5].
> Some work would be needed [6] to make this work smoothly, but it
> doesn't seem like too much. (Mostly filing down some rough edges
> in systemd-homed and adding pam_home_systemd and nss_systemd
> in various authselect profiles.)
>
> Thus the question: would this be something worth looking into?
>

When this was first explored a few years ago, the main problem that
came up was that homed is functionally incompatible with centralized
login systems (SSSD to FreeIPA/AD, OIDC, etc.). If this has changed,
then it would make sense to revisit.


-- 
真実はいつも一つ!/ Always, there's only one truth!
-- 
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue