From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0 ([2001:41d0:2:4a6f::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id qMI4L/6GeGDGPgAAgWs5BA (envelope-from ) for ; Thu, 15 Apr 2021 20:33:34 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0 with LMTPS id eFwbKf6GeGBYJwAA1q6Kng (envelope-from ) for ; Thu, 15 Apr 2021 18:33:34 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 3BA3286E8 for ; Thu, 15 Apr 2021 20:33:34 +0200 (CEST) Received: from localhost ([::1]:56972 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lX6o0-0005Qo-SY for larch@yhetil.org; Thu, 15 Apr 2021 14:33:32 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:53096) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lX6nX-0005Ok-2y for bug-guix@gnu.org; Thu, 15 Apr 2021 14:33:03 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:55870) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lX6nW-0005Dp-Ph for bug-guix@gnu.org; Thu, 15 Apr 2021 14:33:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lX6nW-0000Tb-NB for bug-guix@gnu.org; Thu, 15 Apr 2021 14:33:02 -0400 X-Loop: help-debbugs@gnu.org Subject: bug#36508: GDM files have incorrect owner after temporarily removing service Resent-From: Mark H Weaver Original-Sender: "Debbugs-submit" Resent-CC: bug-guix@gnu.org Resent-Date: Thu, 15 Apr 2021 18:33:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 36508 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: Ludovic =?UTF-8?Q?Court=C3=A8s?= Received: via spool by 36508-submit@debbugs.gnu.org id=B36508.16185115531786 (code B ref 36508); Thu, 15 Apr 2021 18:33:02 +0000 Received: (at 36508) by debbugs.gnu.org; 15 Apr 2021 18:32:33 +0000 Received: from localhost ([127.0.0.1]:39182 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lX6n2-0000Sk-Qy for submit@debbugs.gnu.org; Thu, 15 Apr 2021 14:32:33 -0400 Received: from world.peace.net ([64.112.178.59]:40700) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lX6n1-0000SX-RH for 36508@debbugs.gnu.org; Thu, 15 Apr 2021 14:32:32 -0400 Received: from mhw by world.peace.net with esmtpsa (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1lX6mv-0008R2-6r; Thu, 15 Apr 2021 14:32:25 -0400 From: Mark H Weaver In-Reply-To: <875z0pgnqn.fsf@gnu.org> References: <20190705083620.lbzu7a33awbymh3d@cf0> <1576552162.14721.1618320275616@office.mailbox.org> <87czuxsya5.fsf@netris.org> <875z0pgnqn.fsf@gnu.org> Date: Thu, 15 Apr 2021 14:30:40 -0400 Message-ID: <87lf9jiems.fsf@netris.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Brendan Tildesley , 36508@debbugs.gnu.org Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1618511614; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post; bh=F32ja6egMIxfaSYO4E9zNFeJrSdfd+wJnpNBQx77FfM=; b=PSjyrC6pTRYS3ogODij7N9FWMNLTsuPACOZChCSKmpuju6HV1WhJ4gv05EHSYQ8lvF8scZ 4Xy/PCSHogzrzzjb/z1l0Gsx3He5rRAy8sGjD0hymwo3kiVC9diktPrK2XS5P10G7EZv1s IxY4Ef5CGAjG2Fb89iJ6hP8EvTXdvUji+fQEes4fzZwpJjNFvF8r87n8ip2eAoJoAV/fgl DjMBU9tBr1gqCVLcvr2m1kiQg7EXd1lFFNbrNwEFuFaFz4izJTLCXDRDshbyjrnkCshlmP zx2TGAVFIQqZVZwvnPF427AbLbCaayS8UJMjuPyhdMA2SbuDoFrRs9ThjeknEw== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1618511614; a=rsa-sha256; cv=none; b=BCIQaNyGhbBOi2IJDZNVti/68QEftXwfzSyIccW8L1HNtSIJM2sUABJ+ACM8qexBPNlZGN d+W6hYYjvMdjZOT9wjcB6xtMIQoDOnUU3FFxQ1JeGrwDSz6kS4xBbUWYZJ7VUAsYyWEPX/ j3yX2jQX4Q6ioEw9QT271l7A6T+fitdJHrBIM8lGaPoLl9L4R8FOmfuV98uzTYAU1DHw0y f/nX4GA1hDBrDsSjfR+K6Wb307zSHHz0WRqMYAD5jt/JkaQefS6AYjyiYCdU2mAKIYQuc9 4D2p8tYHGS7o7SjaYVMCiO3GoRFmGwVsXwfR3lfPT8vlw/SMHwWRKYIA6NRU8A== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -2.44 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 3BA3286E8 X-Spam-Score: -2.44 X-Migadu-Scanner: scn0.migadu.com X-TUID: MXhoHIJPLC0I Ludovic Court=C3=A8s writes: > Note that there are other places, in addition to GDM, where we > forcefully reset the UID/GID of the home directory (e.g., for the > =E2=80=98knot-resolver=E2=80=99 service.) > > My preferred solution to this would be to unconditionally chown -R home > directories upon activation (for efficiency, it would be best if we > could do that if and only if the home directory itself has wrong > ownership). Thoughts? It might be okay to do this in specific cases like /var/lib/gdm, but I'm very uncomfortable doing it for *all* users, because: (1) We shouldn't assume that all files within a home directory are supposed to be owned by that user. (2) We shouldn't assume that all files owned by a user will be within their home directory. (3) We shouldn't assume that all files within a home directory are supposed to have the same 'group'. I, for one, have sometimes had subdirectories of my home directory with a different 'group', to either restrict or grant other users access to selected files or directories. (4) Groups do not, in general, have home directories. (5) I consider it unsatifactory for there to be *any* window of time during system activation when the ownership of files is incorrect. >> Here's one idea: when activating a system, *never* delete users or >> groups if files still exist that are owned by those users/groups. >> Checking all filesystems would likely be too expensive, but perhaps it >> would be sufficient to check certain directories such as /var, /etc, and >> possibly the top directory of /home. > > How would you determine which directories to look at though? What if we > miss an important one? Yes, that's a good point. I suppose that my idea above is not satifactory either. > Note that the ID allocation strategy in (gnu build accounts) ensures > UIDs/GIDs aren=E2=80=99t reused right away (same strategy as implemented = by > Shadow, etc.). So if you remove =E2=80=9Cbob=E2=80=9D, then add =E2=80= =9Calice=E2=80=9D, =E2=80=9Calice=E2=80=9D won=E2=80=99t > be able to access the left-behind /home/bob because it has a different > UID. This mechanism is insufficient, because it only avoids the problem if you add "alice" at the same time that "bob" is removed. If you remove "bob" during one system activation, and then later add "alice", then "alice" might well be able to access bob's left-behind files. In the case that I personally witnessed on my Guix system, files within /var/lib/gdm ended up with 'colord' as their group. That's not good. Increasingly, I'm leaning toward the idea that the complete mapping from names to IDs should somehow be explicitly given as part of the OS configuration, as I advocated in . What do you think? Thanks, Mark