|
|
Subscribe / Log in / New account

User=0day considered harmful in systemd

User=0day considered harmful in systemd

Posted Jul 12, 2017 18:54 UTC (Wed) by anselm (subscriber, #2796)
In reply to: User=0day considered harmful in systemd by smckay
Parent article: User=0day considered harmful in systemd

I can see how it might be distasteful to a systemd developer to have to special-case the User= directive. On the other hand, it is usually better engineering to fail towards safety. Simply disregarding the directive by way of the usual mechanism in systemd is easy and consistent, but potentially dangerous and certainly not what a user would expect – based on outcomes, not starting the unit at all is the much better option compared to silently starting it as root.

to post comments

User=0day considered harmful in systemd

Posted Jul 12, 2017 21:30 UTC (Wed) by raven667 (subscriber, #5198) [Link] (2 responses)

Its not just special casing the User directive though, if you go down that road you need to special case every directive that might have security relevance, anything specifying SELinux or AppArmor, capabilities, namespaces, etc. and deal with the fact that different distros are set up slightly differently and that applications should include unit files in their source that may include directives that don't exist on old systems, including security features, but should still work across a wide range of old and future systems.

User=0day considered harmful in systemd

Posted Jul 12, 2017 23:06 UTC (Wed) by anselm (subscriber, #2796) [Link] (1 responses)

It's reasonable to expect that if you explicitly go to the trouble of specifying a user for a unit that isn't root, that unit won't inadvertently – and silently – be executed as root. This is not a backwards-compatibility issue since Unix has supported different users from the very start. I'm not as convinced that directives controlling new(ish) security features should automatically lead to hard errors on older systems that don't offer these features at all; perhaps emitting very obvious warnings that SELinux or AppArmor is not supported on this system and that therefore these features cannot be enabled is the reasonable tradeoff here, just so the administrator knows what to expect. It depends.

What certainly should not happen at all, ever, is that important and ubiquitous security settings are silently ignored (or ignored with a generic warning) because systemd doesn't like a given configuration value. Arguably an error message such as “invalid username ‘0day’, using ‘root’ instead” would have called attention to the situation being discussed here, where silently falling back to root is an obviously bad idea no matter what distribution you're using and whether you're in the past, present, or future.

User=0day considered harmful in systemd

Posted Jul 13, 2017 2:50 UTC (Thu) by zuki (subscriber, #41808) [Link]

The warning (printed in red, multiple times, every time the unit is loaded) was:
> /etc/systemd/system/test.service:28: Invalid user/group name or numeric ID, ignoring: 0day

Anyway, that's how it was. systemd was patched to say:
> /etc/systemd/system/test.service:28: Invalid user/group name or numeric ID: 0day
> test.service: Failed to create test.service/start: Unit test.service is not loaded properly: Exec format error.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds