pid1: warn if people use User=nobody (#16293)

master
Lennart Poettering 2 years ago committed by GitHub
parent 7143b95552
commit bed0b7dfc0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 4
      TODO
  2. 20
      catalog/systemd.catalog.in
  3. 11
      src/core/load-fragment.c
  4. 4
      src/systemd/sd-messages.h

@ -30,10 +30,6 @@ Features:
* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
* warn if User=nobody is used in a unit file. It's the overflow UID after all,
and the service might thus get access to files it really should not get
access to on NFS and userns environments.
* build short web pages out of each catalog entry, build them along with man
pages, and include hyperlinks to them in the journal output

@ -464,3 +464,23 @@ system shutdown.
It is generally recommended to avoid such overly long mount point paths, or —
if used anyway – manage them independently of systemd, i.e. establish them as
well as tear them down automatically at system shutdown by other software.
-- b480325f9c394a7b802c231e51a2752c
Subject: Special user @OFFENDING_USER@ configured, this is not safe!
Defined-By: systemd
Support: %SUPPORT_URL%
Documentation: https://systemd.io/UIDS-GIDS
The unit @UNIT@ is configured to use User=@OFFENDING_USER@.
This is not safe. The @OFFENDING_USER@ user's main purpose on Linux-based
operating systems is to be the owner of files that otherwise cannot be mapped
to any local user. It's used by the NFS client and Linux user namespacing,
among others. By running a unit's processes under the identity of this user
they might possibly get read and even write access to such files that cannot
otherwise be mapped.
It is strongly recommended to avoid running services under this user identity,
in particular on systems using NFS or running containers. Allocate a user ID
specific to this service, either statically via systemd-sysusers or dynamically
via the DynamicUser= service setting.

@ -13,6 +13,8 @@
#include <sched.h>
#include <sys/resource.h>
#include "sd-messages.h"
#include "af-list.h"
#include "alloc-util.h"
#include "all-units.h"
@ -2287,6 +2289,15 @@ int config_parse_user_group_compat(
return -ENOEXEC;
}
if (strstr(lvalue, "User") && streq(k, NOBODY_USER_NAME))
log_struct(LOG_NOTICE,
"MESSAGE=%s:%u: Special user %s configured, this is not safe!", filename, line, k,
"UNIT=%s", unit,
"MESSAGE_ID=" SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR,
"OFFENDING_USER=%s", k,
"CONFIG_FILE=%s", filename,
"CONFIG_LINE=%u", line);
return free_and_replace(*user, k);
}

@ -166,6 +166,10 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_MOUNT_POINT_PATH_NOT_SUITABLE_STR \
SD_ID128_MAKE_STR(1b,3b,b9,40,37,f0,4b,bf,81,02,8e,13,5a,12,d2,93)
#define SD_MESSAGE_NOBODY_USER_UNSUITABLE SD_ID128_MAKE(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c)
#define SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR \
SD_ID128_MAKE_STR(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c)
_SD_END_DECLARATIONS;
#endif

Loading…
Cancel
Save