From 6403cebe275b861b58e1b8f2f888afca676e9be7 Mon Sep 17 00:00:00 2001 From: jfs Date: Fri, 28 Oct 2005 19:55:01 +0000 Subject: [PATCH] Revision of the best practices related to system users git-svn-id: svn://anonscm.debian.org/ddp/manuals/trunk/developers-reference@3575 313b444b-1b9f-4f58-a734-7bb04f332e8d --- developers-reference.sgml | 128 +++++++++++++++++++++++++++++--------- 1 file changed, 99 insertions(+), 29 deletions(-) diff --git a/developers-reference.sgml b/developers-reference.sgml index 2643680..c941fbd 100644 --- a/developers-reference.sgml +++ b/developers-reference.sgml @@ -7,7 +7,7 @@ %dynamicdata; - + @@ -4151,7 +4151,7 @@ name="Debian Security Manual"> added to poliy --> - Creating users and groups for software daemons + System users and groups for software daemons

If your software runs a daemon that does not need root privileges, you need to create a user for it. There are two kind of Debian users @@ -4167,6 +4167,18 @@ to system users. the preinst or in the postinst and make the package depend on adduser (>= 3.11). +

Running programs with a user with limited privileges makes sure +that any security issue with the program makes limited damaged to the +system and follows the principle of least privilege you can +limit privileges in programs through other mechanisms besides running +as non-root. Fore more information, read the chapter of the Secure Programming for +Linux and Unix HOWTO book. + + + Creating system users and groups +

The following example code creates the user and group the daemon will run as when the package is installed or upgraded: @@ -4177,6 +4189,10 @@ case "$1" in # If the package has default file it could be sourced, so that # the local admin can overwrite the defaults + # Notice that the package could handle this defaults through + # debconf so that the local admin could select a different + # user name for the system user than the one hardcoded in the + # package [ -f "/etc/default/packagename" ] && . /etc/default/packagename @@ -4189,6 +4205,8 @@ case "$1" in [ -z "$SERVER_GROUP" ] && SERVER_GROUP=server_group # Groups that the user will be added to, if undefined, then none. + # Some daemons might need additional privileges and those can be + # granted by adding it to additional groups. ADDGROUP="" @@ -4199,9 +4217,9 @@ case "$1" in addgroup --quiet --system $SERVER_GROUP 2>/dev/null ||true echo "..done" fi - # 2. create homedir if not existing + # 2. create homedir if it does not exist test -d $SERVER_HOME || mkdir $SERVER_HOME - # 3. create user if not existing + # 3. create user if it does not exist if ! getent passwd | grep -q "^$SERVER_USER:"; then echo -n "Adding system user $SERVER_USER.." adduser --quiet \ @@ -4211,13 +4229,49 @@ case "$1" in --disabled-password \ $SERVER_USER 2>/dev/null || true echo "..done" - fi - # 4. adjust passwd entry - usermod -c "$SERVER_NAME" \ + # 4. adjust passwd entry, only do this if the package + # creates the user + usermod -c "$SERVER_NAME" \ -d $SERVER_HOME \ -g $SERVER_GROUP \ $SERVER_USER + else + # The package might want to check if the user already exists + # and it is *not* a system user, in this case it should abort + # the installation (like in this example) or ask the administrator + # since otherwrise it might have unexpected consequences. + # Some packages try to prevent collision by using a prefix such as 'Debian-' + for LINE in `grep SYSTEM_UID /etc/adduser.conf | grep -v "^#"`; do + case $LINE in + FIRST_SYSTEM_UID*) + FIST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + LAST_SYSTEM_UID*) + LAST_SYSTEM_UID=`echo $LINE | cut -f2 -d '='` + ;; + *) + ;; + esac + done + # Abort package installation if the user has not been created by + # us. + if [ -n "$FIST_SYSTEM_UID" ] && [ -n "$LAST_SYSTEM_UID" ]; then + if USERID=`getent passwd $SERVER_USER | cut -f 3 -d ':'`; then + if [ -n "$USERID" ]; then + if [ "$FIST_SYSTEM_UID" -le "$USERID" ] && \ + [ "$USERID" -le "$LAST_SYSTEM_UID" ]; then + echo "The user $SERVER_USER already exists as a non system user!" >&2 + echo "Aborting package installation" >&2 + exit 1 + fi + fi + fi + fi + fi + # 5. adjust file and directory permissions + # The example below sets the server home as 750 as it + # contains (hypothetically) sensible information. if ! dpkg-statoverride --list $SERVER_HOME >/dev/null then chown -R $SERVER_USER:adm $SERVER_HOME @@ -4236,7 +4290,11 @@ case "$1" in [...] -

You have to make sure that the init.d script file: + + Using system users + +

In order to make use of the system user you have to make sure that the +init.d script file: Starts the daemon dropping privileges, if the software does not @@ -4262,23 +4320,40 @@ for this. + + + + Removing system users +

If the package creates the system user it can remove it when it is -purged in its postrm, this has some drawbacks -For example, files created by it will be orphaned -and might be taken over by a new system user in the future if it is -assigned the same uid. Some relevant threads discussing these -drawbacks include +purged in its postrm, this currently not recommended +since it has a few known + +Some relevant threads discussing these issues include: -and +id="http://lists.debian.org/debian-mentors/2004/10/msg00338.html">, +and +. -so this is not mandatory and depends on the -package needs. If unsure, it could be handled by asking the -administrator for the prefered action when the package is installed -(see ). The following example code removes the user -and groups created before only, and only if, the uid is in the range of -dynamic assigned system uids and the gid is belongs to a system group: +drawbacks. For example, files created by the daemon (or by an admin +impersonating it) either on the local filesystem or in backup files will be +orphaned and might be taken over by a new system user in the future if it is +assigned the same uid. On the other hand, an unused local system user can be +used to access even if the account has been locked (as some authentication +systems might not use PAM or shadow authentication). + +

If you want to remove a system user and there is a possibility of it +leaving orphaned files, the administrator should be asked for the preferred +action either when the package is installed or when it is removed (see ). + +

The following example code removes the user and groups created +before only, and only if, the uid is in the range of dynamic assigned system +uids and the gid is belongs to a system group: case "$1" in @@ -4328,14 +4403,9 @@ case "$1" in [...] -

Running programs with a user with limited privileges makes sure -that any security issue with the program makes limited damaged to the -system and follows the principle of least privilege you can -limit privileges in programs through other mechanisms besides running -as non-root. Fore more information, read the chapter of the Secure Programming for -Linux and Unix HOWTO book. +

Other possibilities, are to make sure the account is locked (has an invalid +password and /bin/false as a shell) and modify the GECOS field +pointing out that the account is no longer used. -- 2.30.2