Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 32ED2C61CE4 for ; Sat, 19 Jan 2019 12:39:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EA5962084C for ; Sat, 19 Jan 2019 12:39:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="jNGb3u21" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728022AbfASMjf (ORCPT ); Sat, 19 Jan 2019 07:39:35 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:38092 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728015AbfASMjf (ORCPT ); Sat, 19 Jan 2019 07:39:35 -0500 Received: from [10.64.95.116] (unknown [1.152.208.236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id BA7FEEF23; Sat, 19 Jan 2019 23:39:31 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1547901573; bh=CNTQujYJHXi4Xl16uHv/AGFsrgxs/HCglZjtA4aBDiY=; l=3058; h=Date:In-Reply-To:References:Subject:To:CC:From:From; b=jNGb3u21VWYMXTHsRdd33YUOpa4X3sc8RL/SQbjH9yfCccw3NzTuqzg6TP1OimXw8 nwJF50kRZVGGo1cfpqCWcQadVZfAn1niPS05k2EUFgitc7dEOkD107voFnkrJpXxOL mRguPm38KGEk3MEVUtv86ClwBMD8v/rmBnHVGatI= Date: Sat, 19 Jan 2019 23:39:24 +1100 User-Agent: K-9 Mail for Android In-Reply-To: <871s5825jy.fsf@gmail.com> References: <2151367.RAjrkxNSSX@liv> <871s5825jy.fsf@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Autocrypt: addr=russell@coker.com.au; keydata= mQGNBFrXA44BDADapoKLvoDy0JYhghKaxxHcQzft5FevbKwtwzNdP0s5CtHZtNvjjzf3hZUESyNW WA0pZfnrfB1aAjRGN5A0q8MRHC7X6lb/91r52OUoLHiZrqW4qxCiHBlDoiUmSSuTQD4reWPrHEPs F5EErLg7d9ETA8m/IUbvi2ZGpLFeV5U9wHaUyTQjzoPBgIIx4/Hm5ocpPq4NPNS7uVTp+SMLesQ1 A5vh/cYm0fFgYnwJ4XxNacNKbZYFIQrWJEPzvZHlwKvNLuQhSdWYJFeGmYRryOGGintCDoKqx3Ac jY8A8rQ0TDHiq+Cv2Oig0zMTta/TBUO2UNFQ99YhvqnfDETNF1D3FcujxtCuP5jZfmoAJLzy8L4J IycHbq1RyP/PSldSW1VVnU5nukWx/SZNCAlUWgId+w5rLpPmpqxqoVTwMgITMeQLAHkdwVGGKSkU DIeMrsUtcMbTEcDM+0NZBW13AxpClkbIfMxPmmzQUA09UPKdz2LHy07FRKN+dxTGsf44gOMAEQEA AbQqUnVzc2VsbCBDb2tlciBQaG9uZSA8cnVzc2VsbEBjb2tlci5jb20uYXU+iQGwBBMBCgAaBAsJ CAcCFQoCFgECGQEFglrXA44CngECmwEACgkQmDK/WUwry/WsBQwAjUbJslv3kQSCINhZJSNoXcQI 4LeRApUm5v9ClH25TM9L+pp6RTNiYnnKrc1HzyV6U5tujN9BEfDeXr2QP+h8ZLunBg4pDUaje/Xt yDsSLJ+z14WHggRuQFHSXgesONCi3xk0/U1D1m2byr54X9vKXoabfdLv611IemcICERNjS1N1Fdc V1E1hSCm9Svcy92TFiMswj3zhQBy7kbr6mScTZp5MBRRzer+QbkebaBx+UOvlkj5LBWMjPLYEC54 H15nljiZIlacT3Code570Vq3yqFoPWDys9r6AOmPR/Znpy2ODxSQJ8wSeeEciivuOhJCyOEa7XBN jMvY9+U6O9Z4SN9FhmWHYOYznuO7i2ROpgyOb+W7qV4ekiB44T9LMuoL8+KJmpFNFZ6uQSSM1DyO 9DZLHVyVpnAarL5EVMlf5I/3pHMR+jfOIRLCz2/QwMPWKWKMTUkKbHkeHRuDno7YyE6R4tpoP6Hi FLHhalleP2RIaCm2PS5kz2aPywagTa1cuQGNBFrXA44BDAC/FT5fMehSsongB3z01T11AaJ/epQq 7TdIlV2C6BsYY/U+q7fexUIeK83pYZP6kU6owsWryHRnxVk8PEkQQR+2GkL+7j9P/MFU+ZmxT8Ko lR2hCmQ3LV2kQRCqeWQ9Imk5SRA98aoPaijF/HB/EMP5a90vpMF0mNpjPr29UYodwWIvgHV/0dUk RkqbJFH5bS60YjlmxOD/xb4ThdP3zmlghf32lBOi1//QPHvM+rpHUvBQcE/y0wzvbSHgfZD2rsiI jUkHwKI38KbMf+hlNxcRtgBQH+dEsW10qlzZPcskyF6g5CbD1aAqhWs1lWG1aPJQ9h1g7ogxLKL2 ar3Hs8kWHEapuobW2B1+R0ZqLvNH729MwouDs8tmI0ieQjmhg5lsujz3mOO3vn4G2bX3YfoAcRXv C6nOfmUMFhvfFbbxVLJozyMA3DDTE0QmLr92Hbi3jPgK+cd7lhq0UCGyuEnw2d/pRA0uQ1mpftlM swHSwPIeryWcmh7l5Bbns8TVsDMAEQEAAYkBnwQYAQoACQWCWtcDjgKbDAAKCRCYMr9ZTCvL9bUZ DADO02t05jvPEiWglW96WXZJ2yzGiQMYSTyYe6Ac8X626lLeu2CpFk29CJPdfMW8Fn0xZPZ4aesg 0S1FsRBKK2S1KNyaOK9wVs/F8JSrPTOLmV621+CG6Q3vTP7dm3PzveNK3oc+UHdaOxvQAPRlDLKR CTddxrHES7MYpGCF0XPDjfj/lAyUethHdkQ3F40OM3MiYZjO/VP/7iSMjvaCyB6NdlhVRqZfJMVS Os7pcHRUNTvctmznfJ4bx5yv58YBjlAmVNlcFhmMKEjBOsRbrm+qpwJ4+O0grAbC3nixVdCIzKRr 0P+7CrIyRcUpJqYIxfs06BRfPDnV3LxlShgoS23V36AlFblK8+BleGQ/XZ5U+nkjF/LIqYh3Zfc/ aqiipfl4y1e5LE3HW/cpvgVGc/lNnrNb28ZGx8ES13kfDu5hOQie6Y+EVbVNcl7Mk8SoBEIkvp6J rtFXwA89ptK4QEHyRFY1EV4QDX/2zbDHBQT37OaGsiza4tYxc5FM3D687jW5AY0EWtcDjgEMAJ3J So9YDXq2kzOFAYal5qd/S8mieLYIypx2PrjbT9HSI5MbJsxhLRSxyJLpI0PRrm2yOPv0JKlN3wSL 4DYGqtP/ozCkza5qWETVP/9Jl2hv23XfQ6fsOBgASJkoNXEolKgSXfykDy8qIivWrRNyXs7uRVqg itp7sq/VN9EUxgMCHGIJryPEskypNy6GRfweuWJ0jQbDqWCzBEw68t5BxGivZq7epN/fddxTamg4 J7hp7iOw9lq0qGUQaNZwE6XJGx7oGO/UrOiYBj8NpZkl5cHklyAzX7hJFN2igifnah2ILyvGOXd3 /UFWfkN2dSZeHOwp4HYUEWSCEN1kbvCYWxIEBhwuSsT9UXQWG8g4QaK9nydVRVL4dIGXNU3CzqnN REnf92BkjLIUfLRkB9c1zbxVYsE5c+tr9dYq2FjFkTEvqsSf0p4bo8lTv3NZa9bhnXxVAPhlS6Mz UTxhDxJTsSXhg80NbD0dbwTcRTOchLoir2YGY00UGB2Tbllxz7thYQARAQABiQM+BBgBCgAJBYJa 1wOOApsCAakJEJgyv1lMK8v1wN2gBBkBCgAGBQJa1wOOAAoJEBza2d+WHDIYZ6QL/2FObYj3NyIg cm9+VzcIccrb04Q6motaINd+ec6R/5B3YL4nGvsgil2A9AvmXwrj4YIE0zcN7VZAyJnTASU1smQi uAnSgcw976r3icA4FzsSQBM0ZjBItv3N64JY6hTz6cwJXPHs7PqnOCSxvGoJROBzCbPRfiosETqU 6dmMHnHB4sFi4n3mgvXOLPB9XgMcnhrqQEAVGdX1bXm/umu0uo49U56L0OtV75EOOUNLEcUhGyxm lm8+kqbUPKTvZSU6zqOZWnpPwgLf//b+TlRJrVT68SkM28gKwRfwh4Sg6sgwxppn6jlb6Q7i//LI jAo+PoDqyfIMw2Z9OrnuE0N525S18r+NoTXwKbcwIzIBSdaATaqhYrtO9zQ7NSNE21e9zD8t0wf6 U7rb0D4qHR8RONIoe51zYCaSGtAOMMkYZrbCoEdL3D6ktoZf7ulDXKNDmO7MIWGx0QO3g6T/lcQk rdr2KXSeoZHz+a8SHkWprU38WBXEuUuKSJhsOzvpZdeB9PdmDADGqCV7WaoAq4K9Dl/sNcqwTqta LO7JcdjBCHhNZW5M47wd7RfAE4WVtDiNfsb3DFvSoqmYhCV896UD5c5cN1c149dvTM0SLtpJ6p1V 3zN/sUAyLBFayAjyiZ1UtczYNtQZSNPtGok0QOXAluQF2/A04BvXJVIhNROmlbV3DoVvdhujXco6 z6/3++fHG/EwC+Z9/Wzynwd4SzEO+w/i+BGV31+rZTgoA9na5U/SElEpZBZU9xUnEOzJ57QnMEA+ QWZAKdRlUBt1UMbpnX1Bc8tM6GC1OhLnI4sQ0apHzOjil/0hYzZNdUCl4zObD8zCg9sHEKw0tC4/ 1x7rTUvSgwrqsB+UBQop6HY03ItXgptwslrkT/XE6KI3qa8QL8ACe8Z2JPO4VgfGZx6JoQnxrSnc vkvUI2BpcCax0+7GOdYXQdBppGNgC6dav4PYXXxR4iuAh+114bcrzx//wNpeV7kVn3uL+cFpt8rG M/EAeJlmNNrw3VlU5soxvQhaCIArsNI= Subject: Re: What is this GetDynamicUsers about? To: Dominick Grift CC: "selinux-refpolicy@vger.kernel.org" From: Russell Coker Message-ID: <84957EBD-2306-46DF-9089-1637D1438CFA@coker.com.au> X-Virus-Scanned: clamav-milter 0.100.2 at swssmtp X-Virus-Status: Clean Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Thanks for that! Should we change auth_use_nsswitch()? On 19 January 2019 11:30:25 pm AEDT, Dominick Grift wrote: >Russell Coker writes: > >It is kind of like a mcstrans thingy except this is baked into glibc >nss >via the nss-systemd module=2E it translates dymamic user id's to >something >that is human readable=2E > >dynamic users are temporary users identities that can be created by >systemd >on the fly for your service=2E Theres only a limeted range of system user >identities (<1000) available and this allows one to just create an >identity on the >fly for a service via the systemd service unit=2E > >This is a pretty intrusive feature=2E Consider the following: > >you have a service with a dynamicuser (say "myservice") this service >creates files for example a log file in /var/log=2E When the service >exits >the uid no longer exists and so you have a file in /var/log with a >userid that does not exist eny longer=2E > >This is why you see the "private" dirs in /var/lib, /var/cache and >/var/log=2E the services see the private dirs are the root for these >respective dirs=2E (its using a symlink: example: /var/lib -> >/var/lib/private) So the files that might end up with orphaned >identities are atleast kept separate on the filesystem=2E > >So myservice maintains the log file in /var/log/private instead of >/var/log "transparently" (this all needs to be configured though in the >service unit) > >There can also be a file in /etc/systemd called something like >"dont-synthesize-nobody" users of nss-systemd will look for that file >(just a get attributes) So you might see these processes atleast >traverse /etc/systemd, looking to see if the flag-file exists) > >So yes fully implementing support for dynamic users is far-reaching (i >did this in dssp2-standard) > >You can play with this feature with `systemd-run --system -p =2E=2E=2E [= =2E=2E=2E] >-t` >To see how it behaves > >But anyway back to your GetDynamicUsers question: users of >auth_use_nsswitch() (nss-systemd) need to potentially be able to >resolve these dynamic >user id's , for example if they read state on a system with processes >that are associated with dynamic uids or if they need to stat files >associated with dynamic uids=2E > >I hope this helps > >> # msgtype=3Dmethod_call interface=3Dorg=2Efreedesktop=2Esystemd1=2EMana= ger=20 >> member=3DGetDynamicUsers dest=3Dorg=2Efreedesktop=2Esystemd1 >> init_dbus_chat(postfix_showq_t) >> dbus_system_bus_client(postfix_showq_t) >> >> # msgtype=3Dmethod_call interface=3Dorg=2Efreedesktop=2Esystemd1=2EMana= ger=20 >> member=3DGetDynamicUsers dest=3Dorg=2Efreedesktop=2Esystemd1 >> init_dbus_chat(dictd_t) >> >> The above is from my policy that hasn't yet seemed good enough for my >Debian=20 >> tree=2E What is this GetDynamicUsers about and why do programs like >dictd=20 >> (dictionary server) and postfix showq need it? --=20 Sent from my Huawei Mate 9 with K-9 Mail=2E