Re: Guidance on solving the username namespacing problem

To: debian-policy@lists.debian.org
Subject: Re: Guidance on solving the username namespacing problem
From: Philipp Kern <pkern@debian.org>
Date: Sat, 4 Jan 2020 13:55:40 +0100
Message-id: <[🔎] 967ef2ee-2b54-4f1c-ce48-5fa20e96b5d1@philkern.de>
In-reply-to: <[🔎] dd2158b6-b2c0-396d-2fa7-f4db1978c62f@philkern.de>
References: <[🔎] dd2158b6-b2c0-396d-2fa7-f4db1978c62f@philkern.de>

(And then my broken keyboard driver caused this to be sent prematurely.
But alas, it's out now.)

On 1/4/2020 1:52 PM, Philipp Kern wrote:
> [Please cc me on replies as I am not currently subscribed to the list.]
> 
> now that we are talking again about standardizing user creation using
> sysusers, I wonder if you could give me any guidance on how to attack
> the Debian system user namespacing problem.
> 
> There are some well-known usernames like "root" that are a given for an
> organization to block. But there are many usernames dynamically created
> by applications. DynamicUser would solve part of the problem, but some
> services need to persist data and sometimes it is useful to reference a
> fixed identity even outside of a filesystem context (e.g. in iptables
> rules). At my organization we had collisions with regular usernames -
> e.g. a user legitimately called themselves "bind" because part of their
> name was "Bin". Debian does not maintain a complete list of such
> usernames and it is even hard to compute from the packages right now,
> given that the users are created from maintainer scripts and sometimes
> are even configured from Debconf (which is another arbitrary indirection).
> 
> OpenBSD rather successfully standardized on the underscore prefix to
> eliminate this conflict altogether. I would like that we recommend the
> same thing.
> 
> The main question that has been raised was how to manage the migration.
> I think the priority should be on stopping the bleeding and new users
> should follow a consistent scheme, but I understand how without a
> migration plan we just end up with "one more scheme" (even if it might
> be the most popular now except using none at all[1]).
> 
> I tried to raise this issue in [2] a year ago, but I think I don't know
> how to even start drafting a policy snippet about this. Would it be
> sufficient to just mandate "In order to avoid collisions with accounts
> created by the system administrator, usernames created by packages
> should start with an underscore." (assuming we could get a rough
> consensus for something like that) in 9.2.1 for now? Or is this
> effectively infeasible until we come up with a good migration story?

A more bold move would be to tell daemon packagers to use DynamicUser
where feasible and only allocate more permanent users if there's a need
for it.

In the end what I'm looking for is input from the policy editors on how
to possibly approach this. Especially as AIUI policy is supposed to
document current consensus rather than necessarily set the standards.

Kind regards
Philipp Kern

Reply to:

References:
- Guidance on solving the username namespacing problem
  - From: Philipp Kern <pkern@debian.org>

Prev by Date: Guidance on solving the username namespacing problem
Next by Date: Bug#944920: Revise terminology used to specify requirements
Previous by thread: Guidance on solving the username namespacing problem
Next by thread: Re: Guidance on solving the username namespacing problem
Index(es):
- Date
- Thread