user/group assertion to not exceed the 32/16 character limit #36556
+2
−0
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GrahamcOfBorg
added
6.topic: nixos
qknight
force-pushed
the
user_group_length_assertion
branch
from
2808301 to
03ba77a
Compare
qknight
changed the title
qknight
force-pushed
the
user_group_length_assertion
branch
from
03ba77a to
15d1d9d
Compare
|
👍 |
|
Maybe it should be rather a warning then an |
infinisil
approved these changes
Mar 25, 2018
|
Picked to 18.03, too. |
|
@vcunat, @fpletz, @qknight: IMHO there is no reason to go below the Besides, I checked the limit on other distros and they all use a limit of either 31 or 32 characters:
So I think we should change this to 31 or even 32 characters to be in par with the maximum user name length. |
|
@aszlig sounds great, do you want to implement that change? |
|
This broke a module I maintain that uses a 21-character group name, which worked fine previously. |
aszlig
added a commit
that referenced
this pull request
Apr 8, 2018
With #36556, a check was introduced to make sure the user and group names do not exceed their respective maximum length. This is in part because systemd also enforces that length, but only at runtime. So in general it's a good idea to catch as much as we can during evaluation time, however the maximum length of the group name was set to 16 characters according groupadd(8). The maximum length of the group names however is a compile-time option and even systemd allows more than 16 characters. In the mentioned pull request (#36556) there was already a report that this has broken evaluation for people out there. I have also checked what other distributions are doing and they set the length to either 31 characters or 32 characters, the latter being more common. Unfortunately there is a difference between the maximum length enforced by the shadow package and systemd, both for user name lengths and group name lengths. However, systemd enforces both length to have a maximum of 31 characters and I'm not sure if this is intended or just a off-by-one error in systemd. Nevertheless, I choose 32 characters simply to bring it in par with the maximum user name length. For the NixOS assertion however, I use a maximum length of 31 to make sure that nobody accidentally creates services that contain group names that systemd considers invalid because of a length of 32 characters. Signed-off-by: aszlig <aszlig@nix.build> Closes: #38548 Cc: @vcunat, @fpletz, @qknight
aszlig
added a commit
that referenced
this pull request
Apr 8, 2018
With #36556, a check was introduced to make sure the user and group names do not exceed their respective maximum length. This is in part because systemd also enforces that length, but only at runtime. So in general it's a good idea to catch as much as we can during evaluation time, however the maximum length of the group name was set to 16 characters according groupadd(8). The maximum length of the group names however is a compile-time option and even systemd allows more than 16 characters. In the mentioned pull request (#36556) there was already a report that this has broken evaluation for people out there. I have also checked what other distributions are doing and they set the length to either 31 characters or 32 characters, the latter being more common. Unfortunately there is a difference between the maximum length enforced by the shadow package and systemd, both for user name lengths and group name lengths. However, systemd enforces both length to have a maximum of 31 characters and I'm not sure if this is intended or just a off-by-one error in systemd. Nevertheless, I choose 32 characters simply to bring it in par with the maximum user name length. For the NixOS assertion however, I use a maximum length of 31 to make sure that nobody accidentally creates services that contain group names that systemd considers invalid because of a length of 32 characters. Signed-off-by: aszlig <aszlig@nix.build> Closes: #38548 Cc: @vcunat, @fpletz, @qknight (cherry picked from commit 99ba1cb)
globin
pushed a commit
to mayflower/nixpkgs
that referenced
this pull request
May 1, 2018
With NixOS#36556, a check was introduced to make sure the user and group names do not exceed their respective maximum length. This is in part because systemd also enforces that length, but only at runtime. So in general it's a good idea to catch as much as we can during evaluation time, however the maximum length of the group name was set to 16 characters according groupadd(8). The maximum length of the group names however is a compile-time option and even systemd allows more than 16 characters. In the mentioned pull request (NixOS#36556) there was already a report that this has broken evaluation for people out there. I have also checked what other distributions are doing and they set the length to either 31 characters or 32 characters, the latter being more common. Unfortunately there is a difference between the maximum length enforced by the shadow package and systemd, both for user name lengths and group name lengths. However, systemd enforces both length to have a maximum of 31 characters and I'm not sure if this is intended or just a off-by-one error in systemd. Nevertheless, I choose 32 characters simply to bring it in par with the maximum user name length. For the NixOS assertion however, I use a maximum length of 31 to make sure that nobody accidentally creates services that contain group names that systemd considers invalid because of a length of 32 characters. Signed-off-by: aszlig <aszlig@nix.build> Closes: NixOS#38548 Cc: @vcunat, @fpletz, @qknight (cherry picked from commit 99ba1cb)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
With the previous implementation one can add a
userorgroupwhich is created by Nix but then fails to execute programs fromsystemd.man useraddsays:Usernames may only be up to 32 characters long.The actual implementation says it is only 31 chars: https://github.com/systemd/systemd/blob/586fb20fd192d9f9cd2a850f50f67ccd797b6931/src/basic/user-util.c#L624
man groupaddsays:Groupnames may only be up to 16 characters long.So this simple
applycheck makes the user aware of this!See also: nixcloud/nixcloud-webservices#15