Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C798C61CE8 for ; Sat, 19 Jan 2019 12:30:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id F295B2084C for ; Sat, 19 Jan 2019 12:30:29 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OfxgYCXH" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728045AbfASMa3 (ORCPT ); Sat, 19 Jan 2019 07:30:29 -0500 Received: from mail-ed1-f65.google.com ([209.85.208.65]:40437 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727995AbfASMa3 (ORCPT ); Sat, 19 Jan 2019 07:30:29 -0500 Received: by mail-ed1-f65.google.com with SMTP id g22so13218588edr.7 for ; Sat, 19 Jan 2019 04:30:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=GsSug1ZAxnqdvMY8lcBVqfsI7FZE9cfHJdvsOqaw4/c=; b=OfxgYCXHprIMwaYWo+6369QSWbG4UDklJJIC+V1bbv3bmkJDBmx1XD7kpImiwmlLJj hmDzsoTrKSaoQ+6mxuSC5vg0zN/w4Wyz7GJGhZhXCJbTDS4X/xPdz3AYRJ3BF50zrWOC yoJsmdzlwkbnGbQVrotrQOcWzuOa//Ngo0Qp+As9JzOF0sJsdixjXWFTdNco0ZIwRe4h fSYOvIg7IAQX13OCpn/I5SiiqImjqLC/mqLmIXJhV5mY8X/Z4Rc6m2x7yJI2yKPvQhh4 aow+3x5d5sn+N5a4qwR/yyqdilitMcYK+kFj4Y+I3Zk5ybKz2vtA3uUpjIQyWYRo31dz 0JmQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=GsSug1ZAxnqdvMY8lcBVqfsI7FZE9cfHJdvsOqaw4/c=; b=SzevWAUQ2GpFKv4tT6I+YbSgOB+8ELgt/hUg4QaqOuTFuZpcU6CSF0zIoxrPgljU3U a9SQ9HsXFMJySdWTySdAm7ASwvUjfoz3oAAhvFJ9d9y83Sgy25y1AcxqCy0FIaiXCZBY Agu6OKZtKyAoSBa9Am6VEFUDdlK+dS7NOgL2u9Rm12O8BW4dA3dUtnw09pFQQcvrSdFk ierj/Y9ahNd4Iu69reuEHAvP4buFRT3V2gEJfmQoQee5R9Jh8GuY8mVtxCgSQEmXdoAG BsAKFN/sR2VMoiFSJ/Kq8J/9iQ5d53bE4dxoRe4KeDIAm65P2rJqzE54hz060ggLQVnU a8eg== X-Gm-Message-State: AJcUukfeELWSO20j7j8AggExKsJYX+S/sQ6TKEB1DLsbBpFmZza2kiIK 1AUr00qBVXx9vDMK/5gk5WPh0EVj X-Google-Smtp-Source: ALg8bN4SU9kSHYW4O5M8hJn01sLi6nD5cECtzXWKPecxl8cSqIq+Y9BldrW0zFng/91514baixcp8w== X-Received: by 2002:a17:906:474e:: with SMTP id j14-v6mr18152916ejs.55.1547901026791; Sat, 19 Jan 2019 04:30:26 -0800 (PST) Received: from brutus ([2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id q3-v6sm4327683ejz.30.2019.01.19.04.30.26 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 19 Jan 2019 04:30:26 -0800 (PST) From: Dominick Grift To: Russell Coker Cc: "selinux-refpolicy\@vger.kernel.org" Subject: Re: What is this GetDynamicUsers about? References: <2151367.RAjrkxNSSX@liv> Date: Sat, 19 Jan 2019 13:30:25 +0100 In-Reply-To: <2151367.RAjrkxNSSX@liv> (Russell Coker's message of "Sat, 19 Jan 2019 22:48:11 +1100") Message-ID: <871s5825jy.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: It is kind of like a mcstrans thingy except this is baked into glibc nss via the nss-systemd module. it translates dymamic user id's to something that is human readable. dynamic users are temporary users identities that can be created by systemd on the fly for your service. Theres only a limeted range of system user identities (<1000) available and this allows one to just create an identity on the fly for a service via the systemd service unit. This is a pretty intrusive feature. Consider the following: you have a service with a dynamicuser (say "myservice") this service creates files for example a log file in /var/log. When the service exits the uid no longer exists and so you have a file in /var/log with a userid that does not exist eny longer. This is why you see the "private" dirs in /var/lib, /var/cache and /var/log. the services see the private dirs are the root for these respective dirs. (its using a symlink: example: /var/lib -> /var/lib/private) So the files that might end up with orphaned identities are atleast kept separate on the filesystem. So myservice maintains the log file in /var/log/private instead of /var/log "transparently" (this all needs to be configured though in the service unit) There can also be a file in /etc/systemd called something like "dont-synthesize-nobody" users of nss-systemd will look for that file (just a get attributes) So you might see these processes atleast traverse /etc/systemd, looking to see if the flag-file exists) So yes fully implementing support for dynamic users is far-reaching (i did this in dssp2-standard) You can play with this feature with `systemd-run --system -p ... [...] -t` To see how it behaves But anyway back to your GetDynamicUsers question: users of auth_use_nsswitch() (nss-systemd) need to potentially be able to resolve these dynamic user id's , for example if they read state on a system with processes that are associated with dynamic uids or if they need to stat files associated with dynamic uids. I hope this helps > # msgtype=method_call interface=org.freedesktop.systemd1.Manager > member=GetDynamicUsers dest=org.freedesktop.systemd1 > init_dbus_chat(postfix_showq_t) > dbus_system_bus_client(postfix_showq_t) > > # msgtype=method_call interface=org.freedesktop.systemd1.Manager > member=GetDynamicUsers dest=org.freedesktop.systemd1 > init_dbus_chat(dictd_t) > > The above is from my policy that hasn't yet seemed good enough for my Debian > tree. What is this GetDynamicUsers about and why do programs like dictd > (dictionary server) and postfix showq need it? -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift