#2345 Issue closed: Have CLONE_ALL_USERS_GROUPS="yes" by default?

Labels: enhancement, documentation, cleanup, fixed / solved / done

jsmeix opened issue at 2020-03-19 15:11:

Currenly we have in default.conf

CLONE_ALL_USERS_GROUPS="no"

because of backward compatibility, see
https://github.com/rear/rear/blob/master/usr/share/rear/conf/default.conf#L1411
but in general things would work more fail-safe in the recovery system
when it contains all local users of the original system by default,
see that section in default.conf and for another example see
https://github.com/rear/rear/issues/2341

Is there a real reason why the ReaR recovery system should not
have all local users of the original system by default?

I am wondering if all local users in the recovery system by default
could result some security issue because of whatever secrets
in the recovery system by default in particular passwords
or password hashes.
On my openSUSE Leap 15.1 system etc/passswd of the recovery system is

root::0:0:root:/root:/bin/bash
daemon:x:2:2:Daemon:/sbin:/sbin/nologin
rpc:x:477:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
usbmux:x:466:65533:usbmuxd daemon:/var/lib/usbmuxd:/sbin/nologin
nobody:x:65534:65534:nobody:/var/lib/nobody:/bin/bash
sshd:x:467:467:SSH daemon:/var/lib/sshd:/bin/false

so there are no password hashes and there is no etc/shadow
or etc/gshadow in my recovery system so I think the recovery system
does not contain password hashes.

jsmeix commented at 2020-03-20 14:00:

With CLONE_ALL_USERS_GROUPS="yes"
the only difference of the entries in etc/passwd
on my original system compared to my ReaR recovery system is

-root:x:0:0:root:/root:/bin/bash
+root::0:0:root:/root:/bin/bash

and the entries in etc/group are same for me.

gdha commented at 2020-04-15 08:42:

@jsmeix will do a test to see what it gives.

jsmeix commented at 2020-04-15 09:17:

@gdha
thank you for having a look how it would behave on your system(s).

pcahyna commented at 2020-04-15 09:18:

I don't know what might be all the implications, but it sounds reasonable. Better than trying to cherry-pick users that might be needed and hitting problems like #2341 .

jsmeix commented at 2020-04-15 09:41:

@pcahyna
could you check if CLONE_ALL_USERS_GROUPS="yes"
behaves reasonable well on some RHEL standard systems?

I think all we need to check is that CLONE_ALL_USERS_GROUPS="yes"
behaves reasonable well on default systems so that we could use it
in our default.conf.
Of course when users do exceptional things then the ReaR defaults
may no longer "just work".

pcahyna commented at 2020-04-15 10:08:

@yontalcar can you please have a look?

jsmeix commented at 2020-04-29 15:52:

If there are no objections I would like to have that
in the next ReaR 2.6 release, cf.
https://github.com/rear/rear/issues/2368

@gdha @pcahyna @yontalcar
and in general all @rear/contributors
could you provide some info how things look from your point of view?

jsmeix commented at 2020-05-14 14:06:

@rear/contributors
please - as far as your time permits - have a look at
https://github.com/rear/rear/pull/2399

pcahyna commented at 2020-05-14 20:49:

@yontalcar please have a look!

jsmeix commented at 2020-05-19 12:45:

With https://github.com/rear/rear/pull/2399
this issue should be done.

If there are security issues or even regressions because of
the new default CLONE_ALL_USERS_GROUPS="true"
please report them as new separated issues.


[Export of Github issue for rear/rear.]