picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

pid1: warn if people use User=nobody (#16293)

This commit is contained in:
Lennart Poettering 2020-06-26 22:36:39 +02:00 committed by GitHub
parent 7143b95552
commit bed0b7dfc0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 35 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
TODO
View File

@ -30,10 +30,6 @@ Features:
* if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
* warn if User=nobody is used in a unit file. It's the overflow UID after all,
and the service might thus get access to files it really should not get
access to on NFS and userns environments.
* build short web pages out of each catalog entry, build them along with man * build short web pages out of each catalog entry, build them along with man
pages, and include hyperlinks to them in the journal output pages, and include hyperlinks to them in the journal output

20
catalog/systemd.catalog.in
View File

@ -464,3 +464,23 @@ system shutdown.
It is generally recommended to avoid such overly long mount point paths, or — It is generally recommended to avoid such overly long mount point paths, or —
if used anyway manage them independently of systemd, i.e. establish them as if used anyway manage them independently of systemd, i.e. establish them as
well as tear them down automatically at system shutdown by other software. well as tear them down automatically at system shutdown by other software.
-- b480325f9c394a7b802c231e51a2752c
Subject: Special user @OFFENDING_USER@ configured, this is not safe!
Defined-By: systemd
Support: %SUPPORT_URL%
Documentation: https://systemd.io/UIDS-GIDS
The unit @UNIT@ is configured to use User=@OFFENDING_USER@.
This is not safe. The @OFFENDING_USER@ user's main purpose on Linux-based
operating systems is to be the owner of files that otherwise cannot be mapped
to any local user. It's used by the NFS client and Linux user namespacing,
among others. By running a unit's processes under the identity of this user
they might possibly get read and even write access to such files that cannot
otherwise be mapped.
It is strongly recommended to avoid running services under this user identity,
in particular on systems using NFS or running containers. Allocate a user ID
specific to this service, either statically via systemd-sysusers or dynamically
via the DynamicUser= service setting.

11
src/core/load-fragment.c
View File

@ -13,6 +13,8 @@
#include <sched.h> #include <sched.h>
#include <sys/resource.h> #include <sys/resource.h>
#include "sd-messages.h"
#include "af-list.h" #include "af-list.h"
#include "alloc-util.h" #include "alloc-util.h"
#include "all-units.h" #include "all-units.h"
@ -2287,6 +2289,15 @@ int config_parse_user_group_compat(
return -ENOEXEC; return -ENOEXEC;
} }
if (strstr(lvalue, "User") && streq(k, NOBODY_USER_NAME))
log_struct(LOG_NOTICE,
"MESSAGE=%s:%u: Special user %s configured, this is not safe!", filename, line, k,
"UNIT=%s", unit,
"MESSAGE_ID=" SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR,
"OFFENDING_USER=%s", k,
"CONFIG_FILE=%s", filename,
"CONFIG_LINE=%u", line);
return free_and_replace(*user, k); return free_and_replace(*user, k);
} }

4
src/systemd/sd-messages.h
View File

@ -166,6 +166,10 @@ _SD_BEGIN_DECLARATIONS;
#define SD_MESSAGE_MOUNT_POINT_PATH_NOT_SUITABLE_STR \ #define SD_MESSAGE_MOUNT_POINT_PATH_NOT_SUITABLE_STR \
SD_ID128_MAKE_STR(1b,3b,b9,40,37,f0,4b,bf,81,02,8e,13,5a,12,d2,93) SD_ID128_MAKE_STR(1b,3b,b9,40,37,f0,4b,bf,81,02,8e,13,5a,12,d2,93)
#define SD_MESSAGE_NOBODY_USER_UNSUITABLE SD_ID128_MAKE(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c)
#define SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR \
SD_ID128_MAKE_STR(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c)
_SD_END_DECLARATIONS; _SD_END_DECLARATIONS;
#endif #endif