[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Guidance on solving the username namespacing problem

[Please cc me on replies as I am not currently subscribed to the list.]

Hi,

now that we are talking again about standardizing user creation using
sysusers, I wonder if you could give me any guidance on how to attack
the Debian system user namespacing problem.

There are some well-known usernames like "root" that are a given for an
organization to block. But there are many usernames dynamically created
by applications. DynamicUser would solve part of the problem, but some
services need to persist data and sometimes it is useful to reference a
fixed identity even outside of a filesystem context (e.g. in iptables
rules). At my organization we had collisions with regular usernames -
e.g. a user legitimately called themselves "bind" because part of their
name was "Bin". Debian does not maintain a complete list of such
usernames and it is even hard to compute from the packages right now,
given that the users are created from maintainer scripts and sometimes
are even configured from Debconf (which is another arbitrary indirection).

OpenBSD rather successfully standardized on the underscore prefix to
eliminate this conflict altogether. I would like that we recommend the
same thing.

The main question that has been raised was how to manage the migration.
I think the priority should be on stopping the bleeding and new users
should follow a consistent scheme, but I understand how without a
migration plan we just end up with "one more scheme" (even if it might
be the most popular now except using none at all[1]).

I tried to raise this issue in [2] a year ago, but I think I don't know
how to even start drafting a policy snippet about this. Would it be
sufficient to just mandate "In order to avoid collisions with accounts
created by the system administrator, usernames created by packages
should start with an underscore." (assuming we could get a rough
consensus for something like that) in 9.2.1 for now? Or is this
effectively infeasible until we come up with a good migration story?

Kind regards
Philipp Kern

[1] https://people.debian.org/~pkern/permanent/userlist.txt
[2] https://lists.debian.org/debian-devel/2019/02/msg00131.html and
following
Reply to: