Package: lintian Version: 2.85.0 Severity: wishlist X-Debbugs-Cc: pkg-systemd-maintain...@lists.alioth.debian.org
Hi, according to [1], there are quite a few packages which use User=nobody (and Group=nogroup). This is discouraged, and systemd v246 will now log a warning about this. See https://github.com/systemd/systemd/blob/master/NEWS#L106 for the reasoning: ``` * If the service setting User= is set to the "nobody" user, a warning message is now written to the logs (but the value is nonetheless accepted). Setting User=nobody is unsafe, since the primary purpose of the "nobody" user is to own all files whose owner cannot be mapped locally. It's in particular used by the NFS subsystem and in user namespacing. By running a service under this user's UID it might get read and even write access to all these otherwise unmappable files, which is quite likely a major security problem. ``` It's preferrable to create a dedicated system user (and group) for individual services, to not get accidental access for stuff they are not supposed to be able to access. For some services, DynamicUser=true might be an option. This would alleviate the need for manually creating a system user. https://www.freedesktop.org/software/systemd/man/systemd.exec.html#DynamicUser= Regards, Michael [1] https://codesearch.debian.net/search?q=User%3Dnobody&literal=1&perpkg=1 -- System Information: Debian Release: bullseye/sid APT prefers unstable APT policy: (500, 'unstable'), (200, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 5.7.0-2-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_FIRMWARE_WORKAROUND Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages lintian depends on: ii binutils 2.35-1 ii bzip2 1.0.8-4 ii diffstat 1.63-1 ii dpkg 1.20.5 ii dpkg-dev 1.20.5 ii file 1:5.38-5 ii gettext 0.19.8.1-10 ii gpg 2.2.20-1 ii intltool-debian 0.35.0+20060710.5 ii libapt-pkg-perl 0.1.36+b3 ii libarchive-zip-perl 1.68-1 ii libcapture-tiny-perl 0.48-1 ii libclass-xsaccessor-perl 1.19-3+b5 ii libclone-perl 0.45-1 ii libconfig-tiny-perl 2.24-1 ii libcpanel-json-xs-perl 4.19-1 ii libdata-dpath-perl 0.58-1 ii libdata-validate-domain-perl 0.10-1 ii libdevel-size-perl 0.83-1+b1 ii libdigest-sha-perl 6.02-1+b2 ii libdpkg-perl 1.20.5 ii libemail-address-xs-perl 1.04-1+b2 ii libfile-basedir-perl 0.08-1 ii libfile-find-rule-perl 0.34-1 ii libfont-ttf-perl 1.06-1 ii libhtml-parser-perl 3.72-5 ii libio-async-loop-epoll-perl 0.21-1 ii libio-async-perl 0.77-3 ii libjson-maybexs-perl 1.004002-1 ii liblist-compare-perl 0.53-1 ii liblist-moreutils-perl 0.416-1+b5 ii liblist-utilsby-perl 0.11-1 ii libmoo-perl 2.004000-1 ii libmoox-aliases-perl 0.001006-1 ii libnamespace-clean-perl 0.27-1 ii libpath-tiny-perl 0.114-1 ii libsereal-decoder-perl 4.017+ds-1 ii libsereal-encoder-perl 4.017+ds-1 ii libtext-levenshteinxs-perl 0.03-4+b7 ii libtext-xslate-perl 3.5.8-1 ii libtime-duration-perl 1.21-1 ii libtime-moment-perl 0.44-1+b2 ii libtimedate-perl 2.3300-1 ii libtry-tiny-perl 0.30-1 ii libtype-tiny-perl 1.010002-1 ii libunicode-utf8-perl 0.62-1+b1 ii liburi-perl 1.76-2 ii libxml-libxml-perl 2.0134+dfsg-2 ii libxml-writer-perl 0.625-1 ii libyaml-libyaml-perl 0.82+repack-1 ii man-db 2.9.3-2 ii patchutils 0.4.2-1 ii perl [libdigest-sha-perl] 5.30.3-4 ii t1utils 1.41-4 ii xz-utils 5.2.4-1+b1 Versions of packages lintian recommends: ii libperlio-gzip-perl 0.19-1+b6 Versions of packages lintian suggests: pn binutils-multiarch <none> ii libtext-template-perl 1.59-1 -- no debconf information
