nobody/nogroup shouldn't be used

[peterhoeg]

Issue description

The problem with nobody/nogroup is that people expect them to be nobody while in fact they are somebody named nobody. And that somebody is then shared among all services using it.

Their only legitimate purpose is for NFS.

Here are all the files mentioning either - let's get them knocked off!

• [x] lib/systems/parse.nix
• [x] nixos/doc/manual/development/writing-nixos-tests.section.md
• [x] nixos/doc/manual/from_md/development/writing-nixos-tests.section.xml
• [x] nixos/doc/manual/from_md/release-notes/rl-1909.section.xml
• [x] nixos/doc/manual/from_md/release-notes/rl-2111.section.xml
• [x] nixos/doc/manual/release-notes/rl-1909.section.md
• [x] nixos/doc/manual/release-notes/rl-2111.section.md
• [x] nixos/modules/config/users-groups.nix
• [x] nixos/modules/misc/ids.nix
• [ ] nixos/modules/misc/locate.nix
• [x] nixos/modules/programs/ccache.nix
• [x] nixos/modules/programs/mosh.nix
• [ ] nixos/modules/security/google_oslogin.nix
• [x] nixos/modules/security/tpm2.nix
• [x] nixos/modules/security/wrappers/default.nix
• [ ] nixos/modules/services/audio/icecast.nix
• [x] nixos/modules/services/audio/ympd.nix
• [ ] nixos/modules/services/backup/mysql-backup.nix
• [x] nixos/modules/services/cluster/kubernetes/default.nix
• [x] nixos/modules/services/development/hoogle.nix
• [ ] nixos/modules/services/hardware/triggerhappy.nix
• [ ] nixos/modules/services/logging/heartbeat.nix
• [x] nixos/modules/services/mail/freepops.nix
• [x] nixos/modules/services/mail/mailman.nix
• [x] nixos/modules/services/mail/opensmtpd.nix
• [x] nixos/modules/services/mail/postfix.nix
• [ ] nixos/modules/services/misc/cpuminer-cryptonight.nix
• [ ] nixos/modules/services/misc/mwlib.nix
• [ ] nixos/modules/services/misc/sssd.nix
• [ ] nixos/modules/services/misc/tautulli.nix
• [x] nixos/modules/services/network-filesystems/diod.nix
• [ ] nixos/modules/services/network-filesystems/rsyncd.nix
• [x] nixos/modules/services/network-filesystems/samba.nix
• [ ] nixos/modules/services/network-filesystems/u9fs.nix
• [ ] nixos/modules/services/network-filesystems/yandex-disk.nix
• [ ] nixos/modules/services/networking/atftpd.nix
• [ ] nixos/modules/services/networking/cjdns.nix
• [x] nixos/modules/services/networking/dhcpd.nix
• [x] nixos/modules/services/networking/firewall.nix
• [ ] nixos/modules/services/networking/htpdate.nix
• [x] nixos/modules/services/networking/hylafax/default.nix
• [x] nixos/modules/services/networking/ircd-hybrid/ircd.conf
• [x] nixos/modules/services/networking/nix-serve.nix
• [ ] nixos/modules/services/networking/ntopng.nix
• [x] nixos/modules/services/networking/ntp/ntpd.nix
• [ ] nixos/modules/services/networking/ocserv.nix
• [ ] nixos/modules/services/networking/oidentd.nix
• [x] nixos/modules/services/networking/powerdns.nix
• [ ] nixos/modules/services/networking/quicktun.nix
• [ ] nixos/modules/services/networking/rpcbind.nix
• [ ] nixos/modules/services/networking/shadowsocks.nix
• [ ] nixos/modules/services/networking/smokeping.nix
• [ ] nixos/modules/services/networking/ssh/sshd.nix
• [ ] nixos/modules/services/networking/stunnel.nix
• [ ] nixos/modules/services/networking/syncplay.nix
• [ ] nixos/modules/services/networking/unbound.nix
• [ ] nixos/modules/services/networking/xinetd.nix
• [ ] nixos/modules/services/web-apps/mattermost.nix
• [ ] nixos/modules/services/web-servers/jboss/default.nix
• [x] nixos/modules/services/web-servers/mighttpd2.nix
• [x] nixos/modules/services/web-servers/shellinabox.nix
• [x] nixos/modules/services/x11/desktop-managers/cde.nix
• [x] nixos/modules/services/x11/display-managers/default.nix
• [x] nixos/modules/tasks/filesystems/nfs.nix
• [ ] nixos/modules/virtualisation/oci-containers.nix
• [x] nixos/tests/buildbot.nix
• [x] nixos/tests/gitolite.nix
• [x] nixos/tests/hardened.nix
• [ ] nixos/tests/shadowsocks/common.nix
• [x] pkgs/applications/misc/ikiwiki/default.nix
• [ ] pkgs/applications/misc/rofi/default.nix
• [ ] pkgs/applications/networking/sync/rsync/default.nix
• [x] pkgs/applications/version-management/git-up/default.nix
• [x] pkgs/applications/video/vlc/default.nix
• [x] pkgs/applications/virtualization/crosvm/update.py
• [ ] pkgs/build-support/docker/default.nix
• [ ] pkgs/build-support/docker/examples.nix
• [x] pkgs/build-support/fetchfossil/builder.sh
• [x] pkgs/development/tools/build-managers/bazel/bazel_0_29/default.nix
• [x] pkgs/development/tools/build-managers/bazel/bazel_1/default.nix
• [x] pkgs/development/tools/build-managers/bazel/bazel_3/default.nix
• [x] pkgs/misc/vim-plugins/overrides.nix
• [x] pkgs/os-specific/linux/syslinux/default.nix
• [x] pkgs/servers/http/couchdb/2.0.0.nix
• [x] pkgs/servers/hylafaxplus/post-patch.sh
• [ ] pkgs/servers/mail/exim/default.nix
• [ ] pkgs/servers/news/leafnode/default.nix
• [ ] pkgs/tools/graphics/povray/default.nix
• [x] pkgs/tools/misc/moreutils/default.nix

Generated as follows:

grep -E --recursive --files-with-matches -e nobody -e nogroup | sort -u | sed -E -e 's/(.*)/- \[ \] \1/g'

[jabranham]

See #31990 for syncthing

[danbst]

Can nixos tests be excluded from this list? Also, the command-fu to regerate this list would be appreciated.

[aanderse]

Also worth mentioning that this list isn't exhaustive as when a group isn't specified in some cases nogroup will be used which obviously makes it harder to track them all down.

[peterhoeg]

Can nixos tests be excluded from this list?

If we look at nixos/test/certmgr.nix, those tests should definitely be changed as their use of nobody/nogroup is not correct. That being said, nixos/tests/buildbot.nix is a false positive.

Also, the command-fu to regerate this list would be appreciated.

I have updated the original post with the grep invocation.

[peterhoeg]

Also worth mentioning that this list isn't exhaustive as when a group isn't specified in some cases nogroup will be used which obviously makes it harder to track them all down.

Correct, something like will help:

sudo grep ' 65534 ' --files-with-matches /proc/**/gid_map

[peterhoeg]

I guess this was closed in error @Mic92?

[Mic92]

@peterhoeg yes, it was closed by a merged pull request.

[Mic92]

It would be better if instead of grep this would be an actual checklist.

[peterhoeg]

Sure, here you go.

[Mic92]

I filtered out a few false-positive i.e. nobody was used in a comment/different context or its usage was legitimate.

[aanderse]

Sounds like murmur also needs to be fixed.

[Mic92]

More instances: https://github.com/NixOS/nixpkgs/pull/119559

[Mic92]

I think there are potentially even more instances.. If a service has a user without a group it also runs as nogroup.

[rnhmjoj]

I updated the list. After #126289 and #133166 a bunch of (old) offenders have been unmasked, so the count went up a bit. Meanwhile some modules have been fixed, but we're still halfway through.

Most of these modules should be fixed by switching to systemd DynamicUser, the remaining just need to add a users.group.something = {};. Similarly, some setgid/setuid wrappers should simply use root.

I think we should consider adding an annoying warning (learning from my systemd-udev-settle experience) for programs running as nobody/nogroup. I'm not sure how to implement it, though.

[Mic92]

One does now actually get a warning on master if a user is missing a group. I think this should solve this issue here as modules no longer evaluate otherwise.

[rnhmjoj]

One does now actually get a warning on master if a user is missing a group. I think this should solve this issue here as modules no longer evaluate otherwise.

There are more way more cases than a system user missing a group:

1. chowning to nobody
2. running/dropping privileges as nobody:nogroup
3. creating nobody:nogroup files

This should not be closed, yet.