Re: [DNG] systemd allows elevated access from unit files?

2017-07-06 Thread Simon Hobson
Olaf Meeuwissen wrote: >> But, sysv-init has much the same issue in that there's a shell script >> run as root, > > I beg to differ. If you try to run a service as user '0day' from a > sysv-init script, then you get the behaviour of implemented by > > - that service

Re: [DNG] systemd allows elevated access from unit files?

2017-07-06 Thread Olaf Meeuwissen
Hi Simon, Simon Hobson writes: > Olaf Meeuwissen wrote: > >> No idea whether systemd services run by non-system users makes sense but >> then again, lots of systemd probably doesn't make much sense. > > Do you mean "systemd service" as in "something that's part of >

Re: [DNG] systemd allows elevated access from unit files?

2017-07-05 Thread Simon Hobson
Olaf Meeuwissen wrote: > No idea whether systemd services run by non-system users makes sense but > then again, lots of systemd probably doesn't make much sense. Do you mean "systemd service" as in "something that's part of systemd"; or do you mean "something that's

Re: [DNG] systemd allows elevated access from unit files?

2017-07-05 Thread Olaf Meeuwissen
Hi, Adam Borowski writes: > On Tue, Jul 04, 2017 at 08:14:40PM +0900, Olaf Meeuwissen wrote: >> Evilham writes: >> > Hi there, >> > >> > Am 03/07/2017 um 16:08 schrieb dev: >> >> "So, yeah, I don't think there's anything to fix in systemd here." >> >>- Poettering >> >> >> >> Not sure

Re: [DNG] systemd allows elevated access from unit files?

2017-07-05 Thread Alessandro Selli
On 05/07/2017 at 03:40, Nate Bargmann wrote: > * On 2017 04 Jul 18:59 -0500, Rick Moen wrote: >> Quoting Nate Bargmann (n...@n0nb.us): >> >>> * On 2017 04 Jul 13:27 -0500, Evilham wrote: >>> >>> Well, it still doesn't read mail. >>> >>> Or does it? >> >> Well, it _does_ now include a shell

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Nate Bargmann
* On 2017 04 Jul 18:59 -0500, Rick Moen wrote: > Quoting Nate Bargmann (n...@n0nb.us): > > > * On 2017 04 Jul 13:27 -0500, Evilham wrote: > > > > Well, it still doesn't read mail. > > > > Or does it? > > Well, it _does_ now include a shell interpretar (debug-shell.service), > so it's a short

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Rick Moen
Quoting Nate Bargmann (n...@n0nb.us): > * On 2017 04 Jul 13:27 -0500, Evilham wrote: > > Well, it still doesn't read mail. > > Or does it? Well, it _does_ now include a shell interpretar (debug-shell.service), so it's a short step from there to (badly) reimplementing emacs and Gnus. ;->

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Alessandro Selli
On Mon, 3 Jul 2017 at 09:08:11 -0500 dev wrote: > Sounds like a "won't fix", too: > > "So, yeah, I don't think there's anything to fix in systemd here." >- Poettering > > Not sure what's more troubling here[1]; the lack of concern, the > digression from POSIX, or the

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Evilham
Am 04/07/2017 um 13:22 schrieb Joachim Fahrner: > > Next step probably will be to supersede unix user management and > integrate it into systemd :-D Ehem. There is no provision to delete users. https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html -- Evilham

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Adam Borowski
On Tue, Jul 04, 2017 at 08:14:40PM +0900, Olaf Meeuwissen wrote: > Evilham writes: > > Hi there, > > > > Am 03/07/2017 um 16:08 schrieb dev: > >> "So, yeah, I don't think there's anything to fix in systemd here." > >>- Poettering > >> > >> Not sure what's more troubling here[1]; the lack of

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Alessandro Selli
On Tue, 04 Jul 2017 at 13:22:47 +0200 Joachim Fahrner wrote: > Am 2017-07-04 12:46, schrieb Alessandro Selli: >> I still think it's a bug that systemd runs a process as root when >> adduser is >> configured to prevent creation of a user with a given name but such a >> user

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Olaf Meeuwissen
Hi, Evilham writes: > Hi there, > > Am 03/07/2017 um 16:08 schrieb dev: >> Sounds like a "won't fix", too: >> >> "So, yeah, I don't think there's anything to fix in systemd here." >>- Poettering >> >> Not sure what's more troubling here[1]; the lack of concern, the >> digression from

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Joachim Fahrner
Am 2017-07-04 12:46, schrieb Alessandro Selli: I still think it's a bug that systemd runs a process as root when adduser is configured to prevent creation of a user with a given name but such a user does exist. Next step probably will be to supersede unix user management and integrate it

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Alessandro Selli
On Tue, 4 Jul 2017 at 09:38:36 +0200 Giovanni Rapagnani wrote: > > > On 03/07/17 18:23, Joachim Fahrner wrote: >> Am 2017-07-03 17:34, schrieb dev: >>> useradd and adduser work differently. One allows it, the other does not. >>> Just thought 'why not make them work the same?'.

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Adam Borowski
On Tue, Jul 04, 2017 at 09:59:36AM +0200, Giovanni Rapagnani wrote: > On 04/07/17 09:23, Giovanni Rapagnani wrote: > > the flag will only disable the check against NAME_REGEX defined in > > /etc/adduser.conf. The flag will not permit to create usernames starting > > with dash or containing invalid

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Giovanni Rapagnani
On 04/07/17 09:23, Giovanni Rapagnani wrote: the flag will only disable the check against NAME_REGEX defined in /etc/adduser.conf. The flag will not permit to create usernames starting with dash or containing invalid characters (ie not in [-0-9a-z_]) . for the sake of not spreading false

Re: [DNG] systemd allows elevated access from unit files?

2017-07-04 Thread Giovanni Rapagnani
On 03/07/17 18:23, Joachim Fahrner wrote: Am 2017-07-03 17:34, schrieb dev: useradd and adduser work differently. One allows it, the other does not. Just thought 'why not make them work the same?'. That's all. That's right, that's a bug. They should work the same, and they should follow

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread Hendrik Boom
On Mon, Jul 03, 2017 at 10:45:29AM -0500, dev wrote: > On 07/03/2017 10:40 AM, Evilham wrote: > > > > That's the thing, we can do that :-) probably should, but the "right > > way" (from a standards point of view) would be to actually allow those > > names ^^ not to disallow them. So instead of

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread Hendrik Boom
On Mon, Jul 03, 2017 at 04:36:30PM +0200, Evilham wrote: > Hi there, > > Am 03/07/2017 um 16:08 schrieb dev: ... > > > > useradd 0day works on Devuan. adduser 0day does not. Which is correct? > > I had this discussion yesterday, so here are my 2 cents :-). > > It is quite inconsistent what a

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread d_pridge
When was that option added? Sent from my MetroPCS 4G LTE Android Device Original message From: Evilham <dev...@evilham.com> Date: 7/3/17 11:03 AM (GMT-06:00) To: dng@lists.dyne.org Subject: Re: [DNG] systemd allows elevated access from unit files? Am 03/07/2017 um

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread Joachim Fahrner
Am 2017-07-03 17:34, schrieb dev: useradd and adduser work differently. One allows it, the other does not. Just thought 'why not make them work the same?'. That's all. That's right, that's a bug. They should work the same, and they should follow POSIX-rules, not Poettering-rules. Jochen

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread Evilham
Am 03/07/2017 um 17:57 schrieb KatolaZ: > On Mon, Jul 03, 2017 at 10:45:29AM -0500, dev wrote: >> On 07/03/2017 10:40 AM, Evilham wrote: >> >> >>> That's the thing, we can do that :-) probably should, but the "right >>> way" (from a standards point of view) would be to actually allow those >>>

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread KatolaZ
On Mon, Jul 03, 2017 at 10:45:29AM -0500, dev wrote: > On 07/03/2017 10:40 AM, Evilham wrote: > > > > That's the thing, we can do that :-) probably should, but the "right > > way" (from a standards point of view) would be to actually allow those > > names ^^ not to disallow them. So instead of

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread dev
On 07/03/2017 10:40 AM, Evilham wrote: > That's the thing, we can do that :-) probably should, but the "right > way" (from a standards point of view) would be to actually allow those > names ^^ not to disallow them. So instead of modifying the way useradd > works, the way adduser works should be

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread Evilham
Am 03/07/2017 um 17:34 schrieb dev: > On 07/03/2017 10:17 AM, Evilham wrote: >> Am 03/07/2017 um 17:06 schrieb dev: >>> Would this be a good case to dis-allow ^0-9 by default but add a switch >>> to allow it? >> >> What's the case for disallowing those at all? names starting with a >> digit _are_

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread dev
On 07/03/2017 10:17 AM, Evilham wrote: > Am 03/07/2017 um 17:06 schrieb dev: >> Would this be a good case to dis-allow ^0-9 by default but add a switch >> to allow it? > > What's the case for disallowing those at all? names starting with a > digit _are_ valid usernames. useradd and adduser

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread Evilham
Am 03/07/2017 um 17:06 schrieb dev: > Would this be a good case to dis-allow ^0-9 by default but add a switch > to allow it? What's the case for disallowing those at all? names starting with a digit _are_ valid usernames. It is an issue with systemd (and, to a different extent, shadow), we

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread dev
On 07/03/2017 09:58 AM, Rowland Penny wrote: > > The problem is, '0day' is a perfectly acceptable name in Active > Directory and that includes a Samba AD. Would this be a good case to dis-allow ^0-9 by default but add a switch to allow it? ___

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread Rowland Penny
On Mon, 3 Jul 2017 09:54:27 -0500 dev wrote: > > On 07/03/2017 09:36 AM, Evilham wrote: > > Hi there, > > > > > > > (Maybe we should file a bug on bugs.devuan.org + bugs.debian.org + > > shadow repo against shadow?) > > > > Seems pretty straightforward to patch

Re: [DNG] systemd allows elevated access from unit files?

2017-07-03 Thread Joachim Fahrner
Am 2017-07-03 16:08, schrieb dev: Sounds like a "won't fix", too: "So, yeah, I don't think there's anything to fix in systemd here." - Poettering Not sure what's more troubling here[1]; the lack of concern, the digression from POSIX, or the bug/backdoor itself. Maybe all three. useradd

[DNG] systemd allows elevated access from unit files?

2017-07-03 Thread dev
Sounds like a "won't fix", too: "So, yeah, I don't think there's anything to fix in systemd here." - Poettering Not sure what's more troubling here[1]; the lack of concern, the digression from POSIX, or the bug/backdoor itself. Maybe all three. useradd 0day works on Devuan. adduser 0day