Return-Path: <SRS0=p8xb=P3=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 3C798C61CE8
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 19 Jan 2019 12:30:30 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id F295B2084C
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 19 Jan 2019 12:30:29 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="OfxgYCXH"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728045AbfASMa3 (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 19 Jan 2019 07:30:29 -0500
Received: from mail-ed1-f65.google.com ([209.85.208.65]:40437 "EHLO
        mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727995AbfASMa3 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 19 Jan 2019 07:30:29 -0500
Received: by mail-ed1-f65.google.com with SMTP id g22so13218588edr.7
        for <selinux-refpolicy@vger.kernel.org>; Sat, 19 Jan 2019 04:30:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:references:date:in-reply-to:message-id
         :user-agent:mime-version;
        bh=GsSug1ZAxnqdvMY8lcBVqfsI7FZE9cfHJdvsOqaw4/c=;
        b=OfxgYCXHprIMwaYWo+6369QSWbG4UDklJJIC+V1bbv3bmkJDBmx1XD7kpImiwmlLJj
         hmDzsoTrKSaoQ+6mxuSC5vg0zN/w4Wyz7GJGhZhXCJbTDS4X/xPdz3AYRJ3BF50zrWOC
         yoJsmdzlwkbnGbQVrotrQOcWzuOa//Ngo0Qp+As9JzOF0sJsdixjXWFTdNco0ZIwRe4h
         fSYOvIg7IAQX13OCpn/I5SiiqImjqLC/mqLmIXJhV5mY8X/Z4Rc6m2x7yJI2yKPvQhh4
         aow+3x5d5sn+N5a4qwR/yyqdilitMcYK+kFj4Y+I3Zk5ybKz2vtA3uUpjIQyWYRo31dz
         0JmQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
         :message-id:user-agent:mime-version;
        bh=GsSug1ZAxnqdvMY8lcBVqfsI7FZE9cfHJdvsOqaw4/c=;
        b=SzevWAUQ2GpFKv4tT6I+YbSgOB+8ELgt/hUg4QaqOuTFuZpcU6CSF0zIoxrPgljU3U
         a9SQ9HsXFMJySdWTySdAm7ASwvUjfoz3oAAhvFJ9d9y83Sgy25y1AcxqCy0FIaiXCZBY
         Agu6OKZtKyAoSBa9Am6VEFUDdlK+dS7NOgL2u9Rm12O8BW4dA3dUtnw09pFQQcvrSdFk
         ierj/Y9ahNd4Iu69reuEHAvP4buFRT3V2gEJfmQoQee5R9Jh8GuY8mVtxCgSQEmXdoAG
         BsAKFN/sR2VMoiFSJ/Kq8J/9iQ5d53bE4dxoRe4KeDIAm65P2rJqzE54hz060ggLQVnU
         a8eg==
X-Gm-Message-State: AJcUukfeELWSO20j7j8AggExKsJYX+S/sQ6TKEB1DLsbBpFmZza2kiIK
        1AUr00qBVXx9vDMK/5gk5WPh0EVj
X-Google-Smtp-Source: ALg8bN4SU9kSHYW4O5M8hJn01sLi6nD5cECtzXWKPecxl8cSqIq+Y9BldrW0zFng/91514baixcp8w==
X-Received: by 2002:a17:906:474e:: with SMTP id j14-v6mr18152916ejs.55.1547901026791;
        Sat, 19 Jan 2019 04:30:26 -0800 (PST)
Received: from brutus ([2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id q3-v6sm4327683ejz.30.2019.01.19.04.30.26
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sat, 19 Jan 2019 04:30:26 -0800 (PST)
From:   Dominick Grift <dac.override@gmail.com>
To:     Russell Coker <russell@coker.com.au>
Cc:     "selinux-refpolicy\@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: What is this GetDynamicUsers about?
References: <2151367.RAjrkxNSSX@liv>
Date:   Sat, 19 Jan 2019 13:30:25 +0100
In-Reply-To: <2151367.RAjrkxNSSX@liv> (Russell Coker's message of "Sat, 19 Jan
        2019 22:48:11 +1100")
Message-ID: <871s5825jy.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

It is kind of like a mcstrans thingy except this is baked into glibc nss
via the nss-systemd module. it translates dymamic user id's to something
that is human readable.

dynamic users are temporary users identities that can be created by systemd
on the fly for your service. Theres only a limeted range of system user
identities (<1000) available and this allows one to just create an identity on the
fly for a service via the systemd service unit.

This is a pretty intrusive feature. Consider the following:

you have a service with a dynamicuser (say "myservice") this service
creates files for example a log file in /var/log. When the service exits
the uid no longer exists and so you have a file in /var/log with a
userid that does not exist eny longer.

This is why you see the "private" dirs in /var/lib, /var/cache and
/var/log. the services see the private dirs are the root for these
respective dirs. (its using a symlink: example: /var/lib ->
/var/lib/private) So the files that might end up with orphaned
identities are atleast kept separate on the filesystem.

So myservice maintains the log file in /var/log/private instead of
/var/log "transparently" (this all needs to be configured though in the
service unit)

There can also be a file in /etc/systemd called something like
"dont-synthesize-nobody" users of nss-systemd will look for that file
(just a get attributes) So you might see these processes atleast
traverse /etc/systemd, looking to see if the flag-file exists)

So yes fully implementing support for dynamic users is far-reaching (i
did this in dssp2-standard)

You can play with this feature with `systemd-run --system -p ... [...] -t`
To see how it behaves

But anyway back to your GetDynamicUsers question: users of
auth_use_nsswitch() (nss-systemd) need to potentially be able to resolve these dynamic
user id's , for example if they read state on a system with processes
that are associated with dynamic uids or if they need to stat files
associated with dynamic uids.

I hope this helps

> # msgtype=method_call interface=org.freedesktop.systemd1.Manager 
> member=GetDynamicUsers dest=org.freedesktop.systemd1
> init_dbus_chat(postfix_showq_t)
> dbus_system_bus_client(postfix_showq_t)
>
> # msgtype=method_call interface=org.freedesktop.systemd1.Manager 
> member=GetDynamicUsers dest=org.freedesktop.systemd1
> init_dbus_chat(dictd_t)
>
> The above is from my policy that hasn't yet seemed good enough for my Debian 
> tree.  What is this GetDynamicUsers about and why do programs like dictd 
> (dictionary server) and postfix showq need it?

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift