Archives
Archives
| From: | Michal Hrusecky <miska@g.o> |
|---|---|
| To: | gentoo-dev@l.g.o |
| Subject: | [gentoo-dev] RFC: Namespace for users created for packages |
| Date: | Wed, 26 Mar 2014 13:39:05 |
| Message-Id: | 20140326133258.GB18451@susebook.ipv6.hrusecky.net |
| 1 | Hi all, |
| 2 | |
| 3 | interesting discussion started in openSUSE mailing list[1][2] and I would like |
| 4 | to open up the same question on this mailing list. |
| 5 | |
| 6 | Basically it is about the following problem. Citing parts of proposal: |
| 7 | |
| 8 | Many packages need to add user and group names for their unprivileged daemons. |
| 9 | Many names are short for convenience, e.g. 'pop', 'vdr', 'tor' or 'znc'. Since |
| 10 | there is no separate name space for system users those names may collide with |
| 11 | names of real persons. Sharing a user name between a system user and a normal |
| 12 | user leads to surprising or even security relevant misbehavior as the daemon |
| 13 | user may write to files in the real user's home or vice versa. |
| 14 | |
| 15 | Conclusion, in short, is to prefix system users (with some exceptions like root |
| 16 | or nobody) with underscore '_'. So you would get users like '_pop', '_vdr', |
| 17 | '_tor' or '_znc'. OpenBSD already does that[3]. openSUSE proposal with more |
| 18 | details can be seen on GitHub[4]. |
| 19 | |
| 20 | So the question is, what would you think about such a policy in Gentoo? |
| 21 | |
| 22 | [1] http://lists.opensuse.org/opensuse-factory/2014-03/msg00333.html |
| 23 | [2] http://lists.opensuse.org/opensuse-packaging/2014-02/msg00136.html |
| 24 | [3] http://www.openbsd.org/cgi-bin/cvsweb/~checkout~/ports/infrastructure/db/user.list?rev=HEAD;content-type=text%2Fplain |
| 25 | [4] https://github.com/lnussel/osep_opensuse_usernames/blob/master/opensuse_usernames.txt |
| 26 | |
| 27 | -- |
| 28 | Michal Hrusecky <Michal@××××××××.net> |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] RFC: Namespace for users created for packages | Alexander Berntsen <bernalex@g.o> |
| Re: [gentoo-dev] RFC: Namespace for users created for packages | Tom Wijsman <TomWij@g.o> |
| Re: [gentoo-dev] RFC: Namespace for users created for packages | Sven Vermeulen <swift@g.o> |
| Re: [gentoo-dev] RFC: Namespace for users created for packages | "Paweł Hajdan |