On Mon, Jul 10, 2017 at 4:41 PM, Lennart Poettering
wrote:
> On Mon, 10.07.17 15:58, Lennart Poettering (lenn...@poettering.net) wrote:
>
>> On Mon, 10.07.17 15:16, Jan Synacek (jsyna...@redhat.com) wrote:
>>
>> > On Mon, Jul 10, 2017 at 12:42 PM, Lennart Poettering
>> > wrote:
>> > > Now, becaus
On Mon, 10.07.17 17:45, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> On Mon, Jul 10, 2017 at 06:40:00PM +0200, Lennart Poettering wrote:
> > On Mon, 10.07.17 18:36, Lennart Poettering (lenn...@poettering.net) wrote:
> >
> > > > After all (as other people said) systemd has no such requ
On Mon, Jul 10, 2017 at 06:40:00PM +0200, Lennart Poettering wrote:
> On Mon, 10.07.17 18:36, Lennart Poettering (lenn...@poettering.net) wrote:
>
> > > After all (as other people said) systemd has no such requirements
> > > itself. It is true that such user names are confusing and
> > > non-porta
On Mon, 10.07.17 15:29, Zbigniew Jędrzejewski-Szmek (zbys...@in.waw.pl) wrote:
> > On current Fedora, the current regex useradd enforces appears to be
> > this:
> >
> > [a-zA-Z0-9._][a-zA-Z0-9._-]{0,30}[a-zA-Z0-9._-$]?
> >
> > If I read things correctly at least... (the trailing $ appears to
On Mon, 10.07.17 18:36, Lennart Poettering (lenn...@poettering.net) wrote:
> > After all (as other people said) systemd has no such requirements
> > itself. It is true that such user names are confusing and
> > non-portable, but if the local admin has or wants to have such an
> > account for whate
On Mon, Jul 10, 2017 at 4:03 PM, Lennart Poettering
wrote:
> On current Fedora, the current regex useradd enforces appears to be
> this:
>
> [a-zA-Z0-9._][a-zA-Z0-9._-]{0,30}[a-zA-Z0-9._-$]?
So, it *does* allow for usernames starting with numbers...
___
On Mon, Jul 10, 2017 at 05:03:09PM +0200, Lennart Poettering wrote:
> On Mon, 10.07.17 22:23, Michael Chapman (m...@very.puzzling.org) wrote:
>
> > > Well, it took 3 years or so, until someone noticed the strict rules we
> > > enforce. I seriously doubt that naming system users in such unsafe
> >
On Mon, 10.07.17 22:23, Michael Chapman (m...@very.puzzling.org) wrote:
> > Well, it took 3 years or so, until someone noticed the strict rules we
> > enforce. I seriously doubt that naming system users in such unsafe
> > ways is really that wide-spread usage.
>
> That _could_ be because people t
On Mon, 10.07.17 15:58, Lennart Poettering (lenn...@poettering.net) wrote:
> On Mon, 10.07.17 15:16, Jan Synacek (jsyna...@redhat.com) wrote:
>
> > On Mon, Jul 10, 2017 at 12:42 PM, Lennart Poettering
> > wrote:
> > > Now, because this is so weakly defined, we hence do not follow POSIX
> > > rul
Am Montag, den 10.07.2017, 12:57 +0200 schrieb Reindl Harald:
>
> Am 10.07.2017 um 12:55 schrieb Lennart Poettering:
> >
> >
> > The "nobody" user has special semantics on Linux: it's where things
> > are mapped to that can't be mapped otherwise. It's used by user
> > namspacing, by NFS and othe
On Mon, 10.07.17 15:16, Jan Synacek (jsyna...@redhat.com) wrote:
> On Mon, Jul 10, 2017 at 12:42 PM, Lennart Poettering
> wrote:
> > Now, because this is so weakly defined, we hence do not follow POSIX
> > rules, but filter out more that might be dangerous. Specifically:
> >
> > 1. We do not perm
On Mon, Jul 10, 2017 at 12:42 PM, Lennart Poettering
wrote:
> Now, because this is so weakly defined, we hence do not follow POSIX
> rules, but filter out more that might be dangerous. Specifically:
>
> 1. We do not permit empty usernames
> 2. We don't permit the first character to be numeric
>
On Mon, 10 Jul 2017, Lennart Poettering wrote:
On Mon, 10.07.17 21:15, Michael Chapman (m...@very.puzzling.org) wrote:
Now, I do think that systemd has the duty to complain about any system
user names outside of the safe range. Not only for security reasons,
but also for portability and compati
On Mon, 10.07.17 21:15, Michael Chapman (m...@very.puzzling.org) wrote:
> > Now, I do think that systemd has the duty to complain about any system
> > user names outside of the safe range. Not only for security reasons,
> > but also for portability and compatibility reasons: I think we should
> >
On Mon, 10 Jul 2017, Lennart Poettering wrote:
On Thu, 06.07.17 13:21, Michael Chapman (m...@very.puzzling.org) wrote:
On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
well, it even don't look but pretend it can't while it d
On Mon, 10 Jul 2017, Lennart Poettering wrote:
On Thu, 06.07.17 09:36, Michael Chapman (m...@very.puzzling.org) wrote:
User=0day fails a syntactic validation, not a semantic validation. systemd
never even checks to see whether the user exists when the unit is loaded.
And nor should it! The user
Am 10.07.2017 um 12:42 schrieb Lennart Poettering:
(I do accept though that it's a valid discussion whether systemd's
current behaviour of warning and skipping invalid User= rvalues is the
best choice, instead of erroring out completely.)
and *that* is the real point of the whole issue - if o
Am 10.07.2017 um 12:55 schrieb Lennart Poettering:
On Thu, 06.07.17 10:34, Reindl Harald (h.rei...@thelounge.net) wrote:
Am 06.07.2017 um 09:59 schrieb Jonathan de Boyne Pollard:
Reindl Harald:
> at least fall back to “nobody”
Jonathan de Boyne Pollard:
> That idea is wrong.
>
> h
On Thu, 06.07.17 10:34, Reindl Harald (h.rei...@thelounge.net) wrote:
>
>
> Am 06.07.2017 um 09:59 schrieb Jonathan de Boyne Pollard:
> > Reindl Harald:
> > > at least fall back to “nobody”
> >
> > Jonathan de Boyne Pollard:
> > > That idea is wrong.
> > >
> > > https://news.ycombinator.com
On Thu, 06.07.17 13:21, Michael Chapman (m...@very.puzzling.org) wrote:
> On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
> > On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
> > > well, it even don't look but pretend it can't while it does which is
> > > the worst type of ope
On Thu, 06.07.17 09:36, Michael Chapman (m...@very.puzzling.org) wrote:
> User=0day fails a syntactic validation, not a semantic validation. systemd
> never even checks to see whether the user exists when the unit is loaded.
> And nor should it! The user must be allowed to not exist at unit-load t
Am 08.07.2017 um 08:29 schrieb Michael Chapman:
On Sat, 8 Jul 2017, Kai Krakow wrote:
Am Sat, 8 Jul 2017 08:05:44 +0200
schrieb Kai Krakow :
Am Sat, 8 Jul 2017 11:39:02 +1000 (AEST)
schrieb Michael Chapman :
On Sat, 8 Jul 2017, Kai Krakow wrote:
[...]
The bug here is that a leading number
On Sat, 8 Jul 2017, Kai Krakow wrote:
Am Sat, 8 Jul 2017 08:05:44 +0200
schrieb Kai Krakow :
Am Sat, 8 Jul 2017 11:39:02 +1000 (AEST)
schrieb Michael Chapman :
On Sat, 8 Jul 2017, Kai Krakow wrote:
[...]
The bug here is that a leading number will "convert" to the number
and it actually runs
Am Sat, 8 Jul 2017 08:05:44 +0200
schrieb Kai Krakow :
> Am Sat, 8 Jul 2017 11:39:02 +1000 (AEST)
> schrieb Michael Chapman :
>
> > On Sat, 8 Jul 2017, Kai Krakow wrote:
> > [...]
> > > The bug here is that a leading number will "convert" to the number
> > > and it actually runs with the UID sp
Am Sat, 8 Jul 2017 11:39:02 +1000 (AEST)
schrieb Michael Chapman :
> On Sat, 8 Jul 2017, Kai Krakow wrote:
> [...]
> > The bug here is that a leading number will "convert" to the number
> > and it actually runs with the UID specified that way: 0day = 0,
> > 7days = 7.
>
> No, this is not the ca
Am 07.07.2017 um 21:55 schrieb Kai Krakow:
Am Tue, 4 Jul 2017 21:23:01 + (UTC)
schrieb Alexander Bisogiannis :
On Tue, 04 Jul 2017 17:21:01 +, Zbigniew Jędrzejewski-Szmek wrote:
If you need root permissions to create a unit, then it's not a
security issue. An annoyance at most.
Th
On Sat, 8 Jul 2017, Kai Krakow wrote:
[...]
The bug here is that a leading number will "convert" to the number and
it actually runs with the UID specified that way: 0day = 0, 7days = 7.
No, this is not the case. Only all-digit User= values are treated as UIDs.
__
Am Tue, 4 Jul 2017 21:23:01 + (UTC)
schrieb Alexander Bisogiannis :
> On Tue, 04 Jul 2017 17:21:01 +, Zbigniew Jędrzejewski-Szmek wrote:
>
> > If you need root permissions to create a unit, then it's not a
> > security issue. An annoyance at most.
>
> The fact that you need to be root
On Wed, Jul 05, 2017 at 08:10:15PM +1000, Michael Chapman wrote:
> On Wed, 5 Jul 2017, Colin Guthrie wrote:
> >Reindl Harald wrote on 04/07/17 19:50:
> >>>When new configuration options are added, the same unit file can
> >>>almost always be used with older systemd, and it'll just warn & ignore
> >
Am 06.07.2017 um 09:59 schrieb Jonathan de Boyne Pollard:
Reindl Harald:
> at least fall back to “nobody”
Jonathan de Boyne Pollard:
> That idea is wrong.
>
> https://news.ycombinator.com/item?id=14681377#14682059
Reindl Harald:
> better than a stupid [...]
Not really, no. It's the sam
Reindl Harald:
> at least fall back to “nobody”
Jonathan de Boyne Pollard:
> That idea is wrong.
>
> https://news.ycombinator.com/item?id=14681377#14682059
Reindl Harald:
> better than a stupid [...]
Not really, no. It's the same category of error, in fact: substituting an
account other than th
Am Mittwoch, den 05.07.2017, 20:10 +1000 schrieb Michael Chapman:
> I'm pretty sure you'll find that it does. Specifically, it will fail when
> the child process for the command being executed attempts to map the
> username to a UID.
>
> The issue being discussed here is that systemd considers "
On Thu, 6 Jul 2017, Zbigniew Jędrzejewski-Szmek wrote:
On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
well, it even don't look but pretend it can't while it does which is
the worst type of operations possible - as long as "adduser" of the
underlying OS accepts and create "0pointe
On Thu, Jul 06, 2017 at 01:43:32AM +0200, Reindl Harald wrote:
>
>
> Am 06.07.2017 um 01:36 schrieb Michael Chapman:
> >Note that the semantic validations you're talking about here --
> >things like "does the user exist?" -- are _not_ preemptive. They
> >are fatal: the child process will exit uns
Am 06.07.2017 um 01:36 schrieb Michael Chapman:
Note that the semantic validations you're talking about here -- things
like "does the user exist?" -- are _not_ preemptive. They are fatal: the
child process will exit unsuccessfully as the command is executed if the
settings will not be able to
On Thu, 6 Jul 2017, Felipe Sateler wrote:
On Tue, 04 Jul 2017 18:39:15 +, Zbigniew Jędrzejewski-Szmek wrote:
Essentially, User=0day is the same as Usre=0day and the same as User="my
name is pretty!".
I think this is the root of the disagreement. Systemd tries to allow
units written for ve
Am 05.07.2017 um 20:34 schrieb Jonathan de Boyne Pollard:
Reindl Harald:
at least fall back to "nobody"
That idea is wrong.
https://news.ycombinator.com/item?id=14681377#14682059
better than a stupid "i fall back to root because i think i make the
rules and not the underlying operating
Reindl Harald:
>
> at least fall back to "nobody"
>
That idea is wrong.
https://news.ycombinator.com/item?id=14681377#14682059___
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/system
On Tue, 04 Jul 2017 18:39:15 +, Zbigniew Jędrzejewski-Szmek wrote:
> Essentially, User=0day is the same as Usre=0day and the same as User="my
> name is pretty!".
I think this is the root of the disagreement. Systemd tries to allow
units written for version X to run on versions earlier than X
Am 05.07.2017 um 12:32 schrieb Michael Chapman:
In Wed, 5 Jul 2017, Reindl Harald wrote:
The issue being discussed here is that systemd considers "0day" to be
_syntactically_ invalid for a username. See the valid_user_group_name()
function in basic/user-util.c.
yes and hence it should FAI
In Wed, 5 Jul 2017, Reindl Harald wrote:
Am 05.07.2017 um 12:10 schrieb Michael Chapman:
On Wed, 5 Jul 2017, Colin Guthrie wrote:
> Reindl Harald wrote on 04/07/17 19:50:
> > > When new configuration options are added, the same unit file can
> > > almost always be used with older systemd,
On Wed, 5 Jul 2017, Colin Guthrie wrote:
Reindl Harald wrote on 04/07/17 19:50:
When new configuration options are added, the same unit file can
almost always be used with older systemd, and it'll just warn & ignore
the parts it doesn't understand. Similarly, various configuration
options might
Am 05.07.2017 um 12:10 schrieb Michael Chapman:
On Wed, 5 Jul 2017, Colin Guthrie wrote:
Reindl Harald wrote on 04/07/17 19:50:
When new configuration options are added, the same unit file can
almost always be used with older systemd, and it'll just warn & ignore
the parts it doesn't understa
Reindl Harald wrote on 04/07/17 19:50:
>> When new configuration options are added, the same unit file can
>> almost always be used with older systemd, and it'll just warn & ignore
>> the parts it doesn't understand. Similarly, various configuration
>> options might be unavailable on some architect
On Tue, 04 Jul 2017 17:21:01 +, Zbigniew Jędrzejewski-Szmek wrote:
> If you need root permissions to create a unit, then it's not a security
> issue. An annoyance at most.
The fact that you need to be root to create a unit file is irrelevant.
Systemd is running a service as a different user
Am 04.07.2017 um 20:39 schrieb Zbigniew Jędrzejewski-Szmek:
On Tue, Jul 04, 2017 at 07:36:02PM +0200, Reindl Harald wrote:
Am 04.07.2017 um 19:21 schrieb Zbigniew Jędrzejewski-Szmek:
My question is:
Is this a bug with a BZ against rhel/centos7 (as my understanding is that
this affects EL7
On Tue, Jul 04, 2017 at 07:36:02PM +0200, Reindl Harald wrote:
>
>
> Am 04.07.2017 um 19:21 schrieb Zbigniew Jędrzejewski-Szmek:
> >>My question is:
> >>
> >>Is this a bug with a BZ against rhel/centos7 (as my understanding is that
> >>this affects EL7 too)?
> >>
> >>If there is no BZ and based o
Am 04.07.2017 um 19:21 schrieb Zbigniew Jędrzejewski-Szmek:
My question is:
Is this a bug with a BZ against rhel/centos7 (as my understanding is that
this affects EL7 too)?
If there is no BZ and based on the wording of the second to last comment
by poettering, will this be fixed/changed in a
On Tue, Jul 04, 2017 at 04:59:23PM +, Alexander Bisogiannis wrote:
> Hi all,
>
> https://github.com/systemd/systemd/issues/6237
>
> Apologies for asking here, but since the discussion is locked in Github I
> thought to ask here.
>
> This was marked as "not a bug", but in later comments the
49 matches
Mail list logo
