May 14, 2019

Technical Memo: DynamicUser in systemd

Recently, I received a really interesting question from my customer. He found out in his file system two files (directories), which belong to an user that not in /etc/passwd. Specifically in Ubuntu Linux 18.04, these 2 files are

/var/lib/private/systemd
/var/lib/private/systemd/timesync

These two files belong to a user named systemd-timesync with UID/GID in 62583 and this user does not belong to /etc/passwd.

Traditionally, a Linux user does not always need to be in /etc/passwd because it can come from many remote sources, for example
  • LDAP
  • NIS / NIS+ server
  • Windows Domain Controller Server
  • ...
All current users, both from /etc/passwd and remote sources, can be queried by getent command [1]

$ getent passwd

Unfortunately, Our systemd-timesync user does not appear in getent list

A quick Google points to an article [2], written by systemd developer - Lennart Poettering, explaining about DynamicUser feature. It turns out that DynamicUser was introduced from systemd version 235. My client's environment is running Ubuntu 18.04 with systemd version 237, so his system supports DynamicUser feature.

DynamicUser feature tries to solve the problem of user scatters in Linux system. Modern Linux systems have multiple system users, whose usage is to run system processes, and a less number of human users. The point is some processes when being removed from the system does not remove its system users properly, leaving the system with floating users. Worse, files created by system processes is leaved with old users' UID/GID. The UID/GID user added after that have total control over these files, which lessen system securities. DynamicUser solves this issue by allowing process to define a system user that only exist during run time. When a process with DynamicUser ends, the dynamic user gets removed automatically. We can enable this feature by adding DynamicUser = True to your systemd's service files and systemd will setup everything for you.

In Ubuntu 18.04, systemd-timesyncd uses this feature so my client can see files with systemd-timesync user that does not belong to /etc/passwd. Unfortunately at the time of this post, this feature seems buggy so Ubuntu developers decided to turn it off in later release. In Ubuntu 19.04 (Disco Dingo) and later, systemd-timesyncd will not use DynamicUser. So we expect to see systemd-timesync user appears in /etc/passwd again.

References
  1. https://askubuntu.com/questions/504971/is-it-possible-for-users-not-to-be-in-passwd
  2. http://0pointer.net/blog/dynamic-users-with-systemd.html

No comments: