[Please cc me on replies as I am not currently subscribed to the list.] Hi,
now that we are talking again about standardizing user creation using sysusers, I wonder if you could give me any guidance on how to attack the Debian system user namespacing problem. There are some well-known usernames like "root" that are a given for an organization to block. But there are many usernames dynamically created by applications. DynamicUser would solve part of the problem, but some services need to persist data and sometimes it is useful to reference a fixed identity even outside of a filesystem context (e.g. in iptables rules). At my organization we had collisions with regular usernames - e.g. a user legitimately called themselves "bind" because part of their name was "Bin". Debian does not maintain a complete list of such usernames and it is even hard to compute from the packages right now, given that the users are created from maintainer scripts and sometimes are even configured from Debconf (which is another arbitrary indirection). OpenBSD rather successfully standardized on the underscore prefix to eliminate this conflict altogether. I would like that we recommend the same thing. The main question that has been raised was how to manage the migration. I think the priority should be on stopping the bleeding and new users should follow a consistent scheme, but I understand how without a migration plan we just end up with "one more scheme" (even if it might be the most popular now except using none at all[1]). I tried to raise this issue in [2] a year ago, but I think I don't know how to even start drafting a policy snippet about this. Would it be sufficient to just mandate "In order to avoid collisions with accounts created by the system administrator, usernames created by packages should start with an underscore." (assuming we could get a rough consensus for something like that) in 9.2.1 for now? Or is this effectively infeasible until we come up with a good migration story? Kind regards Philipp Kern [1] https://people.debian.org/~pkern/permanent/userlist.txt [2] https://lists.debian.org/debian-devel/2019/02/msg00131.html and following
