|
|
Subscribe / Log in / New account

Distributions

Mapping "nobody" in Fedora

By Jake Edge
July 27, 2016

The "nobody" user in Fedora is currently mapped to a different user ID (UID) value than some other distributions are using. In days gone past, that might not have been much of a concern, but with the advent of containers—cross-distribution containers in particular—there are reasons to consider making those IDs consistent. An RFC that was recently posted to the fedora-devel mailing list by Lennart Poettering argues for doing just that.

It turns out that there are two special UIDs in Linux. One of those is rather well-known—0 for the root user—but the other is, perhaps, almost unknown. The UID 65534 (i.e. one less than the maximum 16-bit unsigned number) is known as the "overflow UID" and it is used for a few specific purposes by the kernel. On Debian and Ubuntu systems, that UID is mapped to the nobody user, but Fedora uses UID 99 for nobody.

By default, the 65534 UID on Fedora is not mapped to any name. However, if the nfs-utils package gets installed, 65534 becomes "nfsnobody". As Poettering noted, that is confusing because it implies the UID is somehow specific to NFS, which is not the case. But that is only one of the things that the kernel uses the overflow UID for. If UID mapping is enabled for an NFS volume, the kernel will map UIDs that can't be locally mapped to the overflow UID, he said.

In addition, he listed two other uses for the overflow ID. If a filesystem or architecture only supports 16-bit UIDs, but a 32-bit UID comes from elsewhere, the kernel will map those values to the overflow UID. Also, inside a user namespace, any external UIDs that don't have an internal mapping will instead be mapped to the overflow UID. The value of the overflow UID can be changed using /proc/sys/fs/overflowuid, but that would likely lead to other problems, he said.

So Poettering suggested that Fedora find a way to map the overflow UID to nobody, in keeping with the other distributions. He noted that the overflow UID appears much more often inside user namespaces (for instance as the owner of various /proc files), which will either show up as simply "65534" or "nfsnobody" depending on whether the NFS utilities are installed. Furthermore:

I think this is of particular relevance as Debian/Ubuntu-based container images tend to be substantially more popular than Fedora-based ones, and hence I think we should try to unify at least the names and semantics of the two special UIDs all distros have, to minimize mapping problems and making user interaction in containers a bit more friendly.

You might ask of course, why Fedora should change to adopt Debian's/Ubuntu's definition, instead of conversely making them adopt Fedora's definition? Well, that's simple: Debian's definition makes a lot more sense than Fedora's.

He also noted that, historically, system daemons would sometimes run as nobody, but it is "universally frowned upon". From what he could tell, nothing in Fedora does that, and he thought it was explicitly prohibited by Fedora packaging policy. Poettering was mistaken about those last two items, however. Sam Varshavchik pointed out that both the dnsmasq and distccd daemons run as nobody and suspected there were more:

It is a very popular pastime to take a listening daemon and chroot-jail it as the nobody user. I'm sure there's a bunch of other stuff in Fedora that does this. These are just the ones running on my box.

But Andrew Lutomirski said that the chroot() practice is insecure. Unless a PID namespace is also used, a process running as nobody can ptrace() another running as that user and escape the chroot(). Poettering wondered again if the practice is prohibited by the packaging guidelines, but James Hogarth looked into it and found nothing in those guidelines that did so. That led Poettering to file a Fedora packaging committee bug to try to resolve that.

In general, participants in the thread had favorable views about making the change, but one sticking point is a transition plan. Poettering suggested that new installs could get 65534 assigned to nobody and that the NFS utilities check for that assignment and not override it with nfsnobody. He said that most code should be using the numeric value anyway, since the names are not stable across distributions.

But Ondřej Vašík pointed to a bug that was filed about the nfsnobody user inside user namespaces, which was closed as "NOTABUG". Changing nfsnobody was deemed potentially disruptive in a comment by J. Bruce Fields on the bug. Fields further described some of those potential problems in a post in the thread. Access-control lists (ACLs) could change in surprising ways if nobody could map to 99 or 65534 on different systems, though that can already occur in mixed-distribution environments. He concluded:

It'd certainly be nice to see the current situation cleaned up. I don't feel like I understand what might break on transition.

Vašík was also concerned about scripts that rely on nfsnobody being present and that it maps to 65534, so eliminating that user could be problematic. Another possibility would be to have both nobody and nfsnobody map to 65534, as Zbigniew Jędrzejewski-Szmek described:

Tools that read /etc/passwd stop at the first matching entry, so 65534 will be resolved to nobody, and nfsnobody will be resolved to 65534 as before. AFAIK, people have used this trick to map multiple users to 0 for a long time, so it should mostly work. I just did that change locally, and names are resolved properly, pwck reports no errors. A potential pitfall could be other tools which munge /etc/passwd or /etc/group getting confused. Enabling this in rawhide should expose any if they exist.

Filesystems store UID information as numbers, so putting nobody ahead of nfsnobody would simply change how ls and other tools report the owner. But for utilities like tar, there may still be a problem, as Nico Kadel-Garcia pointed out:

I'm also [concerned] that it will change behavior for "tar", "rsync", "star", and other programs that can be configured to store and extract usernames *or* uids, or a mix of both.

[...]

Like I said, I'm thinking of "rsync", "tar", and "star". Also, people.... do some interesting scripting to detect things like failed NFS configurations. I'm not saying that's a blocker, but shifting it to overlap with the current "nfsnobody" is likely to break some people's tools in the field, especially if they run the latest Fedora alongside RHEL, CentOS, or previous Fedora releases.

Simo Sorce is less concerned, though, noting that "breakage for some will be un-breakage for someone else". Being consistent with the kernel and other distributions is more important, Sorce said. One other potential problem was raised by Benjamin Coddington; some references to specific mappings might be buried in C code. For example, he found a definition of the nobody UID as 99 in the Lustre filesystem code, though it is not clear what it is being used for (and it would have to be specific to Fedora and a few other distributions that use that mapping).

At this point, no major opposition has materialized, though there is no real feature proposal on the table yet. It is a potentially disruptive change but, as Sorce, Poettering, and others said, there is value in being consistent with other distributions. The next step would be for someone to formally propose it as a feature, get it approved, and put it into Rawhide to soak for a time—when, or if, that happens remains to be seen.

Comments (7 posted)

Brief items

Distribution quotes of the week

English has far worse ambiguities than this, and it is easily recognizable for what it is. No one will think that Debian is proposing that we have special rules for our furniture.

At any rate, we all know what an organization ruled by furniture is called: a bureaucracy :P

-- Daniel Kahn Gillmor

I'd rather you asked me for a signed agreement in triplicate before taking it out of the debian-private debian-developer-only archives to quote/post somewhere else.
-- Lionel Elie Mamane

Comments (none posted)

Ubuntu 16.04.1 LTS released

The Ubuntu team has announced the release of Ubuntu 16.04.1 LTS for its Desktop, Server, and Cloud products, as well as Kubuntu, Xubuntu, Mythbuntu, Ubuntu GNOME, Lubuntu, Ubuntu Kylin, Ubuntu MATE, and Ubuntu Studio. "As usual, this point release includes many updates, and updated installation media has been provided so that fewer updates will need to be downloaded after installation. These include security updates and corrections for other high-impact bugs, with a focus on maintaining stability and compatibility with Ubuntu 16.04 LTS."

Full Story (comments: none)

Distribution News

Debian GNU/Linux

ARM ports and Cloud Images BoFs

Steve McIntyre provides a summary of the of ARM ports Birds of a Feather sessions at DebConf. Topics include armel, armf, arm64, and more.

Steve also summarizes the Cloud Images BoF. Topics include stuff we're currently doing, stuff we should be doing, official image requirements, a proposed sprint, documentation, tooling, and more.

Comments (none posted)

Fedora

Fedora elections

Fedora elections are over and the results have been announced. Stephen Gallagher, Josh Boyer, Dennis Gilmore, and Dominik Mierzejewski have been elected to Fedora Engineering Steering Committee (FESCo). Langdon White has been elected to the Fedora Council.

Comments (none posted)

Newsletters and articles of interest

Distribution newsletters

Comments (none posted)

The newest version of OpenBSD closes potential security loopholes (InfoWorld)

InfoWorld takes a look at the upcoming OpenBSD 6.0 release. "Most significant among the latest security-related changes for OpenBSD is the removal of Linux emulation support. Prior versions of OpenBSD made it possible to run Linux applications by way of a compatibility layer, but the release notes for OpenBSD 6.0 indicate the Linux subsystem was removed as a "security improvement.""

Comments (25 posted)

Page editor: Rebecca Sobol
Next page: Development>>


Copyright © 2016, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds