Re: Seeking consensus for some changes in adduser
On Wed, 9 Mar 2022 17:29:01 -0500, Michael Stone <mstone@debian.org>
wrote:
>On Tue, Mar 08, 2022 at 12:29:43PM -0700, Sam Hartman wrote:
>>I don't think it makes sense to move toward 0700 home directories and to
>>loosen the umask for usergroups.
>
>Those are actually unrelated--the big reason for the more permissive
>umask is to allow people to seamlessly work with other people in a
>group, especially within setgid shared directories. Those shared
>directories can be anywhere, and are likely *not* in a single user's
>home.
Hence, no change needed in adduser? Or is that an argument for having
DIR_MODE=0700 in default?
>This was changed in coreutils to be posix-compliant more than 20 years
>ago. The spec is that chown accepts user:group syntax, and chown will
>always first attempt to split on ":". If there is no :, chown will try to
>resolve the whole argument as a username (that is, regardless of whether
>there's a "."). If the username isn't resolvable *and* it contains a
>".", it will try to split on the first "." and use the left side as the
>username and the right side as the group. So *only if* someone attempts
>to use a dot-containing username in chown without a : and the
>dot-containing username is invalid, then it might be interpreted as a
>user.group spec.
>Now, if someone is trying to actually use user.group
>syntax rather than the user:group syntax that's been standard for 20+
>years, that will definitely break in the presence of dot-containing
>usernames.
... but just in the case that the same string exists both as the last
component of a dot-containing user name AND as a group name. All other
cases are defined.
How would the spec listed above behave for user names with more than
one dot?
> Given how common such usernames are on other systems, I'd
>expect the breakage to be minimal by now, and a bug in anything still
>using that syntax. We could make coreutils print a deprecation warning,
>but that's never really been useful in the past; probably better to just
>error out any time a . is used for something other than a valid username
>and drop the 20+ year old compatability code.
Do you want a coreutils bug to error out in the case of user.group
notation in chown? I guess it's due time. Would we go alone in Debian
or would you prefer that we try convincing upstream to finally go that
way? I am not convinced that Debian should derive from standard
behavior here, but you have the coreutils hat on and I would support
either decision.
And then we'd have to decide whether adduser may allow dot-containing
user names before coreutils made this change.
Greetings
Marc
--
-------------------------------------- !! No courtesy copies, please !! -----
Marc Haber | " Questions are the | Mailadresse im Header
Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834
Reply to: