@ -30,10 +30,6 @@ Features:
* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
* warn if User=nobody is used in a unit file. It's the overflow UID after all,
and the service might thus get access to files it really should not get
access to on NFS and userns environments.
* build short web pages out of each catalog entry, build them along with man
pages, and include hyperlinks to them in the journal output
@ -464,3 +464,23 @@ system shutdown.
It is generally recommended to avoid such overly long mount point paths, or —
if used anyway – manage them independently of systemd, i.e. establish them as
well as tear them down automatically at system shutdown by other software.
Subject: Special user @OFFENDING_USER@ configured, this is not safe!
The unit @UNIT@ is configured to use User=@OFFENDING_USER@.
This is not safe. The @OFFENDING_USER@ user's main purpose on Linux-based
operating systems is to be the owner of files that otherwise cannot be mapped
to any local user. It's used by the NFS client and Linux user namespacing,
among others. By running a unit's processes under the identity of this user
they might possibly get read and even write access to such files that cannot
otherwise be mapped.
It is strongly recommended to avoid running services under this user identity,
in particular on systems using NFS or running containers. Allocate a user ID
specific to this service, either statically via systemd-sysusers or dynamically
via the DynamicUser= service setting.
@ -13,6 +13,8 @@
@ -2287,6 +2289,15 @@ int config_parse_user_group_compat(
if (strstr(lvalue, "User") && streq(k, NOBODY_USER_NAME))
"MESSAGE=%s:%u: Special user %s configured, this is not safe!", filename, line, k,
return free_and_replace(*user, k);
@ -166,6 +166,10 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_MOUNT_POINT_PATH_NOT_SUITABLE_STR \
#define SD_MESSAGE_NOBODY_USER_UNSUITABLE SD_ID128_MAKE(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c)
#define SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR \