exozyme/zine
4
1
Fork 0
Code Issues Pull requests 1 Actions Packages Projects Releases Wiki Activity

More commentary for user management post: filenames are another example of POSIX being too flexible
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
ci/woodpecker/pr/woodpecker Pipeline was successful
Details

Browse source
This commit is contained in:
Anthony Wang 2024-06-02 22:40:41 -05:00
parent 950e5b1ce8
commit ee486e9707
Signed by: a
SSH key fingerprint: SHA256:B5ADfMCqd2M7d/jtXDoihAV/yfXOAbWWri9+GdCN4hQ
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
src/content/posts/2024/june-2024.md
View file

@ -12,7 +12,7 @@ If something exists, Bad Apple!! will be played on it, so [in this post](https:/
## The intricacies of POSIX user management
The exozyme server recently switched from LDAP to PAM for user management, so both @a and @iacore wrote articles about some of the subtleties of the standard user management systems on Linux and other Unix-like OSes. On Linux, PAM authentication by default requires being root or having access to the password hashes in `/etc/passwd`, but @a found that [it's possible to use a tool called SSSD](https://a.exozy.me/posts/pam-auth-without-access-etc-shadow/) to get around that for better security. [@iacore's article](https://www.1a-insec.net/frag/37-posix-login/), among other things, discusses how it's legal for a UID to have more than one username and its the cursed consequences.
The exozyme server recently switched from LDAP to PAM for user management, so both @a and @iacore wrote articles about some of the subtleties of the standard user management systems on Linux and other Unix-like OSes. On Linux, PAM authentication by default requires being root or having access to the password hashes in `/etc/passwd`, but @a found that [it's possible to use a tool called SSSD](https://a.exozy.me/posts/pam-auth-without-access-etc-shadow/) to get around that for better security. [@iacore's article](https://www.1a-insec.net/frag/37-posix-login/), among other things, discusses how it's legal for a UID to have more than one username and its the cursed consequences. I can't really think of legitimate use cases for that, so I guess this is one example where POSIX has too much flexibility. Another prime example is how only the null character and slashes are forbidden in filenames. That opens up filenames to a whole host of sketchy characters like control characters and newlines that have no business being in filenames and just cause bugs.
## Static Site Hosting Providers