Web lists-archives.com

Namespace for system users


at work we have a large fleet of Debian machines, but also more than 200k user accounts with no reuse and somewhat painful rename experiences. Obviously an increasing number of accounts leads to a much increased risk of collisions with system users as created by Debian packages.

Of course it is easy to precompile a basic list to ban users from taking names like postfix, bind, or sshd. But it will never be exhaustive, packages are still free to come up with random names and users are free to install them and see things break.

Some core packages recently adding system users resorted to names like systemd-$daemon and _apt, which both address my concerns - as you can come up with simple rules like "no user might include [-_] in their username". On the other hand I know that Debian-* was painful and annoying for exim, but I suspect mostly because of the length of the username and tools dealing poorly with >8 character usernames. I think FreeBSD (among others?) picked the underscore at the front of the username. Intuitively that feels like a somewhat clean proposal that is also friendly to derivatives.

How do others deal with this problem? Could someone think of a viable approach on how to approach this from a policy side?

Kind regards and thanks
Philipp Kern