New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Increase max group name length to 32 characters #38548
Conversation
With NixOS#36556, a check was introduced to make sure the user and group names do not exceed their respective maximum length. This is in part because systemd also enforces that length, but only at runtime. So in general it's a good idea to catch as much as we can during evaluation time, however the maximum length of the group name was set to 16 characters according groupadd(8). The maximum length of the group names however is a compile-time option and even systemd allows more than 16 characters. In the mentioned pull request (NixOS#36556) there was already a report that this has broken evaluation for people out there. I have also checked what other distributions are doing and they set the length to either 31 characters or 32 characters, the latter being more common. Unfortunately there is a difference between the maximum length enforced by the shadow package and systemd, both for user name lengths and group name lengths. However, systemd enforces both length to have a maximum of 31 characters and I'm not sure if this is intended or just a off-by-one error in systemd. Nevertheless, I choose 32 characters simply to bring it in par with the maximum user name length. For the NixOS assertion however, I use a maximum length of 31 to make sure that nobody accidentally creates services that contain group names that systemd considers invalid because of a length of 32 characters. Signed-off-by: aszlig <aszlig@nix.build> Cc: @vcunat, @fpletz, @qknight
@@ -92,7 +92,7 @@ let | |||
|
|||
group = mkOption { | |||
type = types.str; | |||
apply = x: assert (builtins.stringLength x < 17 || abort "Group name '${x}' is longer than 16 characters which is not allowed!"); x; | |||
apply = x: assert (builtins.stringLength x < 32 || abort "Group name '${x}' is longer than 31 characters which is not allowed!"); x; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nitpick: are you sure +-1 is correct here? --with-group-name-max-length=32
would feel like 32 characters is still OK, but I didn't verify that at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, now I read your description in full so I see it's unclear :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 great to make this consistent within nixpkgs and with other common distributions. The man page that triggered this restriction reflects the configure-time choice.
With #36556, a check was introduced to make sure the user and group names do not exceed their respective maximum length. This is in part because systemd also enforces that length, but only at runtime. So in general it's a good idea to catch as much as we can during evaluation time, however the maximum length of the group name was set to 16 characters according groupadd(8). The maximum length of the group names however is a compile-time option and even systemd allows more than 16 characters. In the mentioned pull request (#36556) there was already a report that this has broken evaluation for people out there. I have also checked what other distributions are doing and they set the length to either 31 characters or 32 characters, the latter being more common. Unfortunately there is a difference between the maximum length enforced by the shadow package and systemd, both for user name lengths and group name lengths. However, systemd enforces both length to have a maximum of 31 characters and I'm not sure if this is intended or just a off-by-one error in systemd. Nevertheless, I choose 32 characters simply to bring it in par with the maximum user name length. For the NixOS assertion however, I use a maximum length of 31 to make sure that nobody accidentally creates services that contain group names that systemd considers invalid because of a length of 32 characters. Signed-off-by: aszlig <aszlig@nix.build> Closes: #38548 Cc: @vcunat, @fpletz, @qknight
With #36556, a check was introduced to make sure the user and group names do not exceed their respective maximum length. This is in part because systemd also enforces that length, but only at runtime. So in general it's a good idea to catch as much as we can during evaluation time, however the maximum length of the group name was set to 16 characters according groupadd(8). The maximum length of the group names however is a compile-time option and even systemd allows more than 16 characters. In the mentioned pull request (#36556) there was already a report that this has broken evaluation for people out there. I have also checked what other distributions are doing and they set the length to either 31 characters or 32 characters, the latter being more common. Unfortunately there is a difference between the maximum length enforced by the shadow package and systemd, both for user name lengths and group name lengths. However, systemd enforces both length to have a maximum of 31 characters and I'm not sure if this is intended or just a off-by-one error in systemd. Nevertheless, I choose 32 characters simply to bring it in par with the maximum user name length. For the NixOS assertion however, I use a maximum length of 31 to make sure that nobody accidentally creates services that contain group names that systemd considers invalid because of a length of 32 characters. Signed-off-by: aszlig <aszlig@nix.build> Closes: #38548 Cc: @vcunat, @fpletz, @qknight (cherry picked from commit 99ba1cb)
@aszlig can you also backport this to 18.03? |
He had pushed it to |
With NixOS#36556, a check was introduced to make sure the user and group names do not exceed their respective maximum length. This is in part because systemd also enforces that length, but only at runtime. So in general it's a good idea to catch as much as we can during evaluation time, however the maximum length of the group name was set to 16 characters according groupadd(8). The maximum length of the group names however is a compile-time option and even systemd allows more than 16 characters. In the mentioned pull request (NixOS#36556) there was already a report that this has broken evaluation for people out there. I have also checked what other distributions are doing and they set the length to either 31 characters or 32 characters, the latter being more common. Unfortunately there is a difference between the maximum length enforced by the shadow package and systemd, both for user name lengths and group name lengths. However, systemd enforces both length to have a maximum of 31 characters and I'm not sure if this is intended or just a off-by-one error in systemd. Nevertheless, I choose 32 characters simply to bring it in par with the maximum user name length. For the NixOS assertion however, I use a maximum length of 31 to make sure that nobody accidentally creates services that contain group names that systemd considers invalid because of a length of 32 characters. Signed-off-by: aszlig <aszlig@nix.build> Closes: NixOS#38548 Cc: @vcunat, @fpletz, @qknight (cherry picked from commit 99ba1cb)
With #36556, a check was introduced to make sure the user and group names do not exceed their respective maximum length. This is in part because systemd also enforces that length, but only at runtime.
So in general it's a good idea to catch as much as we can during evaluation time, however the maximum length of the group name was set to 16 characters according
groupadd(8)
.The maximum length of the group names however is a compile-time option and even systemd allows more than 16 characters. In the mentioned pull request (#36556) there was already a report that this has broken
evaluation for people out there.
I have also checked what other distributions are doing and they set the length to either 31 characters or 32 characters, the latter being more common.
Unfortunately there is a difference between the maximum length enforced by the
shadow
package and systemd, both for user name lengths and group name lengths. However, systemd enforces both length to have a maximum of 31 characters and I'm not sure if this is intended or just a off-by-one error in systemd.Nevertheless, I choose 32 characters simply to bring it in par with the maximum user name length.
For the NixOS assertion however, I use a maximum length of 31 to make sure that nobody accidentally creates services that contain group names that systemd considers invalid because of a length of 32 characters.
Note: I'm basing this onmaster
instead ofstaging
, because while it affects a lot of packages (notstdenv
however), the change is rather trivial and needs to land in 18.03 ASAP as the change from #36556 breaks evaluation of systems out there which use group names with a length from 17 to 31 characters.Cc: @vcunat, @fpletz, @qknight