Re: Seeking consensus for some changes in adduser

To: debian-devel@lists.debian.org
Subject: Re: Seeking consensus for some changes in adduser
From: Richard Laager <rlaager@debian.org>
Date: Thu, 10 Mar 2022 13:42:03 -0600
Message-id: <[🔎] 1a0bca76-6f3e-000e-800a-b656f4ca1d55@debian.org>
In-reply-to: <[🔎] E1nSBeH-001Lji-Ar@drop.zugschlus.de>
References: <[🔎] YieJALY0ny0+07pw@torres.zugschlus.de> <[🔎] e31837fe-2265-c63d-d551-fd70bcec1135@debian.org> <[🔎] E1nS2Tm-000r19-SQ@drop.zugschlus.de> <[🔎] 7c83cbf8-03a9-abc8-1cbe-9cadf5dcb866@debian.org> <[🔎] E1nSBeH-001Lji-Ar@drop.zugschlus.de>

On 3/9/22 23:47, Marc Haber wrote:

On Wed, 9 Mar 2022 14:35:52 -0600, Richard Laager <rlaager@debian.org>
wrote:

If the admin can change the default DIR_MODE that applies to system user
home directories, then any postinst script doing `adduser --system`
needs to also explicitly chmod its home directory if it needs anything
more permissive than 700 or more restrictive than 755. This is true
today and remains true whether or not the default DIR_MODE is changed.

Anything that NEEDS to be written in postinst scripts is bad. I'd
rather implement a SYSTEM_DIR_MODE setting that applies to directories
created during creation of a --system user.

Would that help with the issue?

Yes that would _help_, as that would allow the system administrator tochange DIR_MODE without changing SYSTEM_DIR_MODE.

However, if SYSTEM_DIR_MODE is configurable, you end up with the sameproblem: unless a given package can work with _any_ reasonable mode (700to 755), it must explicitly set its own mode. Otherwise, if theadministrator sets SYSTEM_DIR_MODE to something too restrictive(scenario A below), some packages will break; if they set it toopermissive, some packages will become insecure (scenario B).

Having a hardcoded default for system users would at least allowpackages certainty, and those that were happy with the default would notneed to chmod.


Further, my assumption is that there are two different scenarios:

A) The system user's home directory needs to be open. For example, ifthere is a socket in there that needs to be world-writable, which Ithink you were talking about.

B) The system user's home directory needs to be private. For example,there is sensitive data in there. (Another, perhaps better, answer isthat the _files_ should have restricted permissions.)

_If_ it is the case that both of these scenarios exist, then no singlevalue (default or hardcoded) can satisfy both. So the default shouldeither be the most common mode, or the most restrictive (reasonable) mode.

This should probably be my last email on this subtopic. Hopefully I'veconveyed my points for your consideration. I don't feel that I'm anexpert on the use of system users in Debian.


--
Richard

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

Reply to:

References:
- Seeking consensus for some changes in adduser
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: Seeking consensus for some changes in adduser
  - From: Richard Laager <rlaager@debian.org>
- Re: Seeking consensus for some changes in adduser
  - From: Marc Haber <mh+debian-devel@zugschlus.de>
- Re: Seeking consensus for some changes in adduser
  - From: Richard Laager <rlaager@debian.org>
- Re: Seeking consensus for some changes in adduser
  - From: Marc Haber <mh+debian-devel@zugschlus.de>

Prev by Date: Re: proposed MBF: packages still using source format 1.0
Next by Date: Bug#1007024: ITP: golang-github-cjoudrey-gluaurl -- url parser and builder module for gopher-lua (library)
Previous by thread: Re: Seeking consensus for some changes in adduser
Next by thread: Re: Seeking consensus for some changes in adduser
Index(es):
- Date
- Thread