From bed0b7dfc0070e920d00c89d9a4fd4db8d974cf0 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Fri, 26 Jun 2020 22:36:39 +0200 Subject: [PATCH] pid1: warn if people use User=nobody (#16293) --- TODO | 4 ---- catalog/systemd.catalog.in | 20 ++++++++++++++++++++ src/core/load-fragment.c | 11 +++++++++++ src/systemd/sd-messages.h | 4 ++++ 4 files changed, 35 insertions(+), 4 deletions(-) diff --git a/TODO b/TODO index c356f60a87..bb49b7a799 100644 --- a/TODO +++ b/TODO @@ -30,10 +30,6 @@ Features: * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it -* warn if User=nobody is used in a unit file. It's the overflow UID after all, - and the service might thus get access to files it really should not get - access to on NFS and userns environments. - * build short web pages out of each catalog entry, build them along with man pages, and include hyperlinks to them in the journal output diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in index 9ba5656f16..1d3b62a2f4 100644 --- a/catalog/systemd.catalog.in +++ b/catalog/systemd.catalog.in @@ -464,3 +464,23 @@ system shutdown. It is generally recommended to avoid such overly long mount point paths, or — if used anyway – manage them independently of systemd, i.e. establish them as well as tear them down automatically at system shutdown by other software. + +-- b480325f9c394a7b802c231e51a2752c +Subject: Special user @OFFENDING_USER@ configured, this is not safe! +Defined-By: systemd +Support: %SUPPORT_URL% +Documentation: https://systemd.io/UIDS-GIDS + +The unit @UNIT@ is configured to use User=@OFFENDING_USER@. + +This is not safe. The @OFFENDING_USER@ user's main purpose on Linux-based +operating systems is to be the owner of files that otherwise cannot be mapped +to any local user. It's used by the NFS client and Linux user namespacing, +among others. By running a unit's processes under the identity of this user +they might possibly get read and even write access to such files that cannot +otherwise be mapped. + +It is strongly recommended to avoid running services under this user identity, +in particular on systems using NFS or running containers. Allocate a user ID +specific to this service, either statically via systemd-sysusers or dynamically +via the DynamicUser= service setting. diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 0445a3a2c9..f9c974f9b5 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -13,6 +13,8 @@ #include #include +#include "sd-messages.h" + #include "af-list.h" #include "alloc-util.h" #include "all-units.h" @@ -2287,6 +2289,15 @@ int config_parse_user_group_compat( return -ENOEXEC; } + if (strstr(lvalue, "User") && streq(k, NOBODY_USER_NAME)) + log_struct(LOG_NOTICE, + "MESSAGE=%s:%u: Special user %s configured, this is not safe!", filename, line, k, + "UNIT=%s", unit, + "MESSAGE_ID=" SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR, + "OFFENDING_USER=%s", k, + "CONFIG_FILE=%s", filename, + "CONFIG_LINE=%u", line); + return free_and_replace(*user, k); } diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h index f5dd0a04c7..00846ea00b 100644 --- a/src/systemd/sd-messages.h +++ b/src/systemd/sd-messages.h @@ -166,6 +166,10 @@ _SD_BEGIN_DECLARATIONS; #define SD_MESSAGE_MOUNT_POINT_PATH_NOT_SUITABLE_STR \ SD_ID128_MAKE_STR(1b,3b,b9,40,37,f0,4b,bf,81,02,8e,13,5a,12,d2,93) +#define SD_MESSAGE_NOBODY_USER_UNSUITABLE SD_ID128_MAKE(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c) +#define SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR \ + SD_ID128_MAKE_STR(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c) + _SD_END_DECLARATIONS; #endif