NixOS doesn't detect UID/GID collisions

[matthiasbeyer]

Describe the bug

NixOS rolls a dice on system service user IDs.
This caused a very weird bug on my nextcloud deployment: #112640

The issue was, in short, that the nextcloud user got an UID (1001) which I assigned to a new user later on.
This resulted, after a reboot, that the phpfpm-nextcloud.service was started as user (bob) and nothing worked.
The fix felt like digging in mud, coming from the clean and shiny world of NixOS.

But, maybe not so shiny: I blame nixos here.

To Reproduce
Steps to reproduce the behavior:

1. run nextcloud, or redis,... or any other service that gets a random UID
2. add a new user with said UID, because you don't know and don't expect the UID to already be assigned - because, to be honest: Who in the world would think that a system service gets UID 1001 or 1002?
3. Profit!

Expected behavior

User IDs MUST be hardcoded by the administrator / author of configuration.nix

---

I know that there are predefined UIDs, but for some services there are not (and redis even got removed!). Apparently, this would have prevented the issue.
Also, a hard fail when I first tried to add the new user would have prevented that from happening.

---

The title of this issue might be a bit misleading. Feel free to suggest something better.

[symphorien]

The issue looks like the user for nextcloud is not labeled as system user (which would cause it to be assigned an id below 1000).
I wonder if we should make explicitely specifying wether a user is system or normal mandatory (by not providing a default value to the option).

[primeos]

I wonder if we should make explicitely specifying wether a user is system or normal mandatory (by not providing a default value to the option).

That would be great for Nixpkgs IMO (I assume isSystemUser should always be true for Nixpkgs modules but since the default is false this is currently pretty error-prone). And since isNormalUser sets isSystemUser to false this might not even require that many changes outside of Nixpkgs, at least for normal user configurations (out-of-tree NixOS modules would likely still be impacted).

NixOS rolls a dice on system service user IDs.

IIRC I once heard that they're assigned incrementally and tracked via /var/lib/nixos/{uid,gid}-map but I've never looked into that myself.
Edit: See allocId in nixos/modules/config/update-users-groups.pl.

The other thing that surprised me is that UID clashes are apparently not detected: #112640 (comment)
Due to users.mutableUsers defaulting to true this is unfortunately not something that can detect any collision but adding new users outside of the NixOS configuration is likely pretty uncommon (I assume users.mutableUsers=true is usually only required for setting and changing passwords securely outside of the NixOS configuration / world-readable Nix store).
Edit: Checking for UID collisions at evaluation time should be possible by parsing users-groups.json:

nixpkgs/nixos/modules/config/users-groups.nix

Line 402 in bc0d605

spec = pkgs.writeText "users-groups.json" (builtins.toJSON {

(and ID collisions from useradd/groupadd could emit a warning/error via during the activation - nixos/modules/config/update-users-groups.pl already seems to emit some warnings if necessary).

[matthiasbeyer]

> I wonder if we should make explicitely specifying wether a user is system or normal mandatory (by not providing a default value to the option).

I don't know what the actual way is to make it less error-prone, but I would have expected that either the new user failed on deployment because the UID was already used, or the system service configuration failing on first install because I didn't tell it which UID to use. Either way would be fine for me, but silently working in the deployment and then breaking at runtime is an issue.

On 10-02-2021 09:54:38, Michael Weiss wrote: > NixOS rolls a dice on system service user IDs. IIRC I once heard that they're assigned incrementally and tracked via `/var/lib/nixos/{uid,gid}-map` but I've never looked into that myself.

Rolling dice vs. assigning incrementally - doesn't matter, it collided and that shouldn't have happened.

[primeos]

The title of this issue might be a bit misleading. Feel free to suggest something better.

I assume "NixOS doesn't detect UID/GID collisions now" is the main issue (please correct me if I'm wrong).

[kira-bruneau]

I just ran into this problem too. I tried to create a new "builder" user for distributed builds, but I didn't realize that a user with the same UID (1001) was already automatically assigned for localtimed.

[xaverdh]

So what would the expected behavior be, should update-user-groups emit a warning?

[primeos]

So what would the expected behavior be, should update-user-groups emit a warning?

Yes, that would be helpful.
And more importantly UID/GID collisions in users-groups.json should IMO be a hard error during the evaluation (see #112647 (comment) - though we'd obviously have to detect the collision based on the sources for generating users-groups.json to throw an error during the evaluation; hopefully this won't cause much overhead).

[matthiasbeyer]

On 11-02-2021 00:22:06, xaverdh wrote: So what would the expected behavior be, should `update-user-groups` emit a warning?

No, it should break my build entirely. To not break backwards-compatibility, tho, I would argue that a warning for now, and as soon as the next nixos release is made, this should be turned into a hard error.

[xaverdh]

No, it should break my build entirely.
To not break backwards-compatibility, tho, I would argue that a warning for now,
and as soon as the next nixos release is made, this should be turned into a hard
error.

I think the issue is that this can only be detected at run time, because the previously used ids are state in /etc/passwd and /var/lib/nixos/* respectively. So the build can not fail depending on this information.
At best it could fail when switching to the configuration (or on boot).

[symphorien]

Failing on generation activation does not look like a good idea because then affecting a new user imperatively can make previous generation unbootable.

[matthiasbeyer]

On 11-02-2021 06:22:46, Guillaume Girol wrote: Failing on generation activation does not look like a good idea because then affecting a new user imperatively can make *previous* generation unbootable.

yep, that sounds like a real issue. I guess the best way would be to disallow services without UID configuration. This way, the admin _must_ provide a UID for each service they configure. At this point, this sounds like the only approach that might work.

[primeos]

I feel like we're running a bit in circles here... :o
I thought my edits in #112647 (comment) would explain what could be done during the evaluation, build, or activation phase (but tbh only linking to the relevant source-code places was likely too lazy of me).

I think the issue is that this can only be detected at run time

No, AFAIK this is only true for some cases that are hopefully pretty uncommon (useradd/groupadd, s. #112647 (comment)).

Failing on generation activation does not look like a good idea because then affecting a new user imperatively can make previous generation unbootable.

That's a good point. And additionally I assume that errors in activation scripts should never occur because that could put the system in an "unknown/undefined" state (if only some of the activation steps where executed).

I guess the best way would be to disallow services without UID configuration.
This way, the admin must provide a UID for each service they configure.

Forcing everyone to manually assign all UIDs and GIDs sounds like a bad idea to me (though we could make this optional if that isn't already possible by e.g. setting/overriding the default UID/GID values). And it would still be error prone (currently collisions should only occur if the admin assigns a UID/GID that's already in use, so IMO there might be no or only very minor advantages depending on some implementation details).