pid1: warn if people use User=nobody (#16293)

4 files changed, 35 insertions, 4 deletions

diff --git a/TODO b/TODO
index c356f60a87..bb49b7a799 100644
--- a/TODO
+++ b/TODO
@@ -30,10 +30,6 @@ Features:
 
 * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it
 
-* warn if User=nobody is used in a unit file. It's the overflow UID after all,
-  and the service might thus get access to files it really should not get
-  access to on NFS and userns environments.
-
 * build short web pages out of each catalog entry, build them along with man
   pages, and include hyperlinks to them in the journal output
 
diff --git a/catalog/systemd.catalog.in b/catalog/systemd.catalog.in
index 9ba5656f16..1d3b62a2f4 100644
--- a/catalog/systemd.catalog.in
+++ b/catalog/systemd.catalog.in
@@ -464,3 +464,23 @@ system shutdown.
 It is generally recommended to avoid such overly long mount point paths, or —
 if used anyway – manage them independently of systemd, i.e. establish them as
 well as tear them down automatically at system shutdown by other software.
+
+-- b480325f9c394a7b802c231e51a2752c
+Subject: Special user @OFFENDING_USER@ configured, this is not safe!
+Defined-By: systemd
+Support: %SUPPORT_URL%
+Documentation: https://systemd.io/UIDS-GIDS
+
+The unit @UNIT@ is configured to use User=@OFFENDING_USER@.
+
+This is not safe. The @OFFENDING_USER@ user's main purpose on Linux-based
+operating systems is to be the owner of files that otherwise cannot be mapped
+to any local user. It's used by the NFS client and Linux user namespacing,
+among others. By running a unit's processes under the identity of this user
+they might possibly get read and even write access to such files that cannot
+otherwise be mapped.
+
+It is strongly recommended to avoid running services under this user identity,
+in particular on systems using NFS or running containers. Allocate a user ID
+specific to this service, either statically via systemd-sysusers or dynamically
+via the DynamicUser= service setting.
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 0445a3a2c9..f9c974f9b5 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -13,6 +13,8 @@
 #include <sched.h>
 #include <sys/resource.h>
 
+#include "sd-messages.h"
+
 #include "af-list.h"
 #include "alloc-util.h"
 #include "all-units.h"
@@ -2287,6 +2289,15 @@ int config_parse_user_group_compat(
                 return -ENOEXEC;
         }
 
+        if (strstr(lvalue, "User") && streq(k, NOBODY_USER_NAME))
+                log_struct(LOG_NOTICE,
+                           "MESSAGE=%s:%u: Special user %s configured, this is not safe!", filename, line, k,
+                           "UNIT=%s", unit,
+                           "MESSAGE_ID=" SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR,
+                           "OFFENDING_USER=%s", k,
+                           "CONFIG_FILE=%s", filename,
+                           "CONFIG_LINE=%u", line);
+
         return free_and_replace(*user, k);
 }
 
diff --git a/src/systemd/sd-messages.h b/src/systemd/sd-messages.h
index f5dd0a04c7..00846ea00b 100644
--- a/src/systemd/sd-messages.h
+++ b/src/systemd/sd-messages.h
@@ -166,6 +166,10 @@ _SD_BEGIN_DECLARATIONS;
 #define SD_MESSAGE_MOUNT_POINT_PATH_NOT_SUITABLE_STR \
                                           SD_ID128_MAKE_STR(1b,3b,b9,40,37,f0,4b,bf,81,02,8e,13,5a,12,d2,93)
 
+#define SD_MESSAGE_NOBODY_USER_UNSUITABLE SD_ID128_MAKE(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c)
+#define SD_MESSAGE_NOBODY_USER_UNSUITABLE_STR \
+                                          SD_ID128_MAKE_STR(b4,80,32,5f,9c,39,4a,7b,80,2c,23,1e,51,a2,75,2c)
+
 _SD_END_DECLARATIONS;
 
 #endif