Bug#1003192: debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf

To: 1003192@bugs.debian.org
Subject: Bug#1003192: debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf
From: Guido Berhoerster <guido@berhoerster.name>
Date: Fri, 22 Sep 2023 15:04:11 +0200
Message-id: <[🔎] 5409e1cc-f02c-0fc6-6b77-180198543da5@berhoerster.name>
Reply-to: Guido Berhoerster <guido@berhoerster.name>, 1003192@bugs.debian.org
In-reply-to: <[🔎] f1d48427-2a46-23da-8b37-17c8f468bc3e@berhoerster.name>
References: <20220105203112.Horde.kwuU1lCYuJbORjRFjmZgvhL@mail.das-netzwerkteam.de> <20220105203112.Horde.kwuU1lCYuJbORjRFjmZgvhL@mail.das-netzwerkteam.de> <[🔎] f1d48427-2a46-23da-8b37-17c8f468bc3e@berhoerster.name> <[🔎] f1d48427-2a46-23da-8b37-17c8f468bc3e@berhoerster.name> <20220105203112.Horde.kwuU1lCYuJbORjRFjmZgvhL@mail.das-netzwerkteam.de>

On Fri, 22 Sep 2023 13:57:09 +0200 Guido Berhoerster <guido@berhoerster.name> wrote:
> In addition to systemd, polkitd now also uses a UID above 499, on a main
> server with MATE desktop I have the following UIDs above 499:
> 
> 995 polkitd
> 997 systemd-timesync
> 998 systemd-network

Regarding systemd, systemd-sysusers is the third mechanism how system 
users can be created.

So these users are created by systemd-sysusers either during 
installation by a postinst script (like e.g. polkitd) or during boot via
the systemd-sysusers.service. The UID/GID range in systemd-sysusers is
determined either per file, that is on a system level by each package,
or compiled-in default which is 0-999, there is no run-time 
configuration for system administrators and the documentation strongly
discourages changing that.

The actual allocation algorithm does not seem to be documented, (but in
best systemd tradition) it seems to be the opposite what other tools are
doing, allocating from highest to lowest which causes the problems for
us.

There is actually an escape hatch, systemd can be compiled with
-Dcompat-mutable-uid-boundaries=true which makes it obey /etc/login.defs
at runtime. Again the docs state that this is a compatibility feature
which should only be used for upgrading systems. So it is not clear how
much this can be relied on in the future.

So our options are to:

- try to convince the rest of Debian to limit the system UID/GID range
  to 0-499
- convince every package maintainer to explicitly specify a range 0-499
  in their systemd-sysuser config file
- try to get the systemd package maintainers to build the package with
  -Dcompat-mutable-uid-boundaries=true
- change the DebianEdu scheme giving LDAP users a UID/GIDs range
  2000-60000 or similar

Suggestions?

References:
- https://systemd.io/UIDS-GIDS/
- https://www.freedesktop.org/software/systemd/man/systemd-sysusers.html
- https://www.freedesktop.org/software/systemd/man/sysusers.d.html

-- 
Guido Berhoerster

Reply to:

Follow-Ups:
- Bug#1003192: debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf
  - From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

References:
- Bug#1003192: debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf
  - From: Guido Berhoerster <guido@berhoerster.name>

Prev by Date: Bug#1003192: debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf
Next by Date: Bug#1052463: bookworm-pu: package debian-edu-doc/2.12.18~deb12u1
Previous by thread: Bug#1003192: debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf
Next by thread: Bug#1003192: debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf
Index(es):
- Date
- Thread