NixOS doesn't detect UID/GID collisions #112647
Comments
veprbl
added
the
6.topic: nixos
|
The issue looks like the user for nextcloud is not labeled as system user (which would cause it to be assigned an id below 1000). |
That would be great for Nixpkgs IMO (I assume
IIRC I once heard that they're assigned incrementally and tracked via The other thing that surprised me is that UID clashes are apparently not detected: #112640 (comment) nixpkgs/nixos/modules/config/users-groups.nix Line 402 in bc0d605 useradd/groupadd could emit a warning/error via during the activation - nixos/modules/config/update-users-groups.pl already seems to emit some warnings if necessary).
|
|
> I wonder if we should make explicitely specifying wether a user is system or normal mandatory (by not providing a default value to the option).
I don't know what the actual way is to make it less error-prone, but I would
have expected that either the new user failed on deployment because the UID was
already used, or the system service configuration failing on first install
because I didn't tell it which UID to use.
Either way would be fine for me, but silently working in the deployment and then
breaking at runtime is an issue.
On 10-02-2021 09:54:38, Michael Weiss wrote:
> NixOS rolls a dice on system service user IDs.
IIRC I once heard that they're assigned incrementally and tracked via
`/var/lib/nixos/{uid,gid}-map` but I've never looked into that myself.
Rolling dice vs. assigning incrementally - doesn't matter, it collided and that
shouldn't have happened.
|
primeos
changed the title
I assume "NixOS doesn't detect UID/GID collisions now" is the main issue (please correct me if I'm wrong). |
|
I just ran into this problem too. I tried to create a new "builder" user for distributed builds, but I didn't realize that a user with the same UID (1001) was already automatically assigned for localtimed. |
|
So what would the expected behavior be, should |
Yes, that would be helpful. |
|
On 11-02-2021 00:22:06, xaverdh wrote:
So what would the expected behavior be, should `update-user-groups` emit a warning?
No, it should break my build entirely.
To not break backwards-compatibility, tho, I would argue that a warning for now,
and as soon as the next nixos release is made, this should be turned into a hard
error.
|
I think the issue is that this can only be detected at run time, because the previously used ids are state in |
|
Failing on generation activation does not look like a good idea because then affecting a new user imperatively can make previous generation unbootable. |
|
On 11-02-2021 06:22:46, Guillaume Girol wrote:
Failing on generation activation does not look like a good idea because then
affecting a new user imperatively can make *previous* generation unbootable.
yep, that sounds like a real issue.
I guess the best way would be to disallow services without UID configuration.
This way, the admin _must_ provide a UID for each service they configure.
At this point, this sounds like the only approach that might work.
|
|
I feel like we're running a bit in circles here... :o
No, AFAIK this is only true for some cases that are hopefully pretty uncommon (useradd/groupadd, s. #112647 (comment)).
That's a good point. And additionally I assume that errors in activation scripts should never occur because that could put the system in an "unknown/undefined" state (if only some of the activation steps where executed).
Forcing everyone to manually assign all UIDs and GIDs sounds like a bad idea to me (though we could make this optional if that isn't already possible by e.g. setting/overriding the default UID/GID values). And it would still be error prone (currently collisions should only occur if the admin assigns a UID/GID that's already in use, so IMO there might be no or only very minor advantages depending on some implementation details). |
|
On 11-02-2021 09:27:05, Michael Weiss wrote:
Forcing everyone to manually assign all UIDs and GIDs sounds like a bad idea
to me
AFAIK, _some_ services have predefined UIDs/GIDs (see
nixos/modules/misc/ids.nix).
For example, redis was removed in 453e15e, tho - and of course the commit
message does leave me clueless why this was happening:
nixos/redis: remove static uid/gid assignment
all files are chowned on startup
That's why I CC'd Jörg with this mail as well, maybe they can explain?
If most services would have a UID/GID configured, and all that have none fail
without the user assigning one, that would result in a bit of effort on the
users side, but of course with a lot better security considering discussed
issue, am I right?
Or am I missing the relevant point here?
|
Yes and (IIRC) we started to run out of UIDs/GIDs in that range. There should be good explanations on GitHub and/or the Git history and if you open
I think this would result in quite some effort (especially since the UIDs/GIDs must remain unchanged or one has to manually update file owners/groups) and affect (almost) all users. In any case I think that's a bad idea.
I don't see any security advantage. You should've only gotten that UID collision because you didn't check if it was already in use (or maybe it's also possible if you add multiple users at the same time - but ideally the code should only dynamically assign new UIDs after all new manually set UIDs are "tracked", so this is hopefully unlikely / would be a bug). |
|
So for services, we should aim to use But collisions with either current or prior state are not that easy to handle.. and its not just about mutable users, you might just as well have some leftover state from an earlier configuration and the same issue can happen (because explicitly specifying a |
|
as a side note: Its quite possible (the shadow tooling supports this, and apparently people do, or at least did use it as well) to have two users share the same |
I take that back. There is simply no way to detect that collision without accessing the prior state. |
|
Sorry this is a long thread and I haven't read it all but just in case it provides some context: https://github.com/NixOS/rfcs/blob/master/rfcs/0052-dynamic-ids.md |
|
I gave this some thought, since user / group creation for services is somewhat error prone manual work currently, maybe nixpkgs would benefit from some helper functions, to be used in nixos modules? |
|
Your suggestions (which I support) are best served by the module system
With a helper function, there is always the possibility of forgetting to use it :/ |
|
Reasoning is described here: https://github.com/NixOS/rfcs/blob/master/rfcs/0052-dynamic-ids.md
…On 11 February 2021 18:37:39 CET, Matthias Beyer ***@***.***> wrote:
On 11-02-2021 09:27:05, Michael Weiss wrote:
> Forcing everyone to manually assign all UIDs and GIDs sounds like a
bad idea
> to me
AFAIK, _some_ services have predefined UIDs/GIDs (see
nixos/modules/misc/ids.nix).
For example, redis was removed in 453e15e, tho - and of course the
commit
message does leave me clueless why this was happening:
> nixos/redis: remove static uid/gid assignment
> all files are chowned on startup
That's why I CC'd Jörg with this mail as well, maybe they can explain?
If most services would have a UID/GID configured, and all that have
none fail
without the user assigning one, that would result in a bit of effort on
the
users side, but of course with a lot better security considering
discussed
issue, am I right?
Or am I missing the relevant point here?
|
|
WTF? I didn't post this! |
I implemented this in #115332 but by requesting users to be explicit instead of changing the default. |
As the only consequence of isSystemUser is that if the uid is null then it's allocated below 500, if a user has uid = something below 500 then we don't require isSystemUser to be set. Motivation: NixOS#112647
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
Describe the bug
NixOS rolls a dice on system service user IDs.
This caused a very weird bug on my nextcloud deployment: #112640
The issue was, in short, that the
nextclouduser got an UID (1001) which I assigned to a new user later on.This resulted, after a reboot, that the
phpfpm-nextcloud.servicewas started as user (bob) and nothing worked.The fix felt like digging in mud, coming from the clean and shiny world of NixOS.
But, maybe not so shiny: I blame nixos here.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
User IDs MUST be hardcoded by the administrator / author of configuration.nix
I know that there are predefined UIDs, but for some services there are not (and redis even got removed!). Apparently, this would have prevented the issue.
Also, a hard fail when I first tried to add the new user would have prevented that from happening.
The title of this issue might be a bit misleading. Feel free to suggest something better.
The text was updated successfully, but these errors were encountered: