nm-openvpn uid conflicts with uid standard normal user

[goodwillcoding]

Hi @domenkozar
I recently provisioned a new 15.09 release box which ad my own custom user on it with basic configuration and immutable users:

users = { 
    mutableUsers = false;
    extraGroup.me = {
        name = "me";
        gid = 1000;
    };
    extraUsers.me = {
        isNormalUser = true;
        uid = 1000;
        group = "me";
    };
};

This box's installation also included NetworkManager as part of Gnome3. An odd issue started to happen shortly, where when WiFI was to drop and reconnenct my user name would suddenly change to nm-openvpn, which I could tell when I would open a new terminal and the PS1 line showed "nm-openvpn@hostname"

Upon investigation of the /etc/password using getent it became clear that both users were created with the same uid. Here is the getent return

$ getent passwd me nm-openvpn

me:x:1000:1000::/home/me:/run/current-system/sw/bin/bash
nm-openvpn:x:1000:65534::/var/empty:/run/current-system/sw/bin/nologin

After looking over #10689 and kamilchm@832c4ee it seems that nm-openvpn is not created with a specific uid (nor it's counterpart group created with a specific gid). That said users.enforceIdUniqueness is set to true so I am a bit at a loss as how this happened and might indicate bug with mutable users. I'll try to reproduce the bug this week to see if that is the case.

Setting the potential user creation bug aside I would say that nm-openvpn user and group should have their own ids/gids in ids.nix. If that is the case I will be happy to do a PR, please advise on the following though: do you want 2 PRs, one against master and one against release-15.09. Also do you want me to reflect the change in release notes somewhere.

-- @goodwillcoding

[domenkozar]

Huh, NixOS should have all the information available to resolve the uid/gid conflicts.

[domenkozar]

@goodwillcoding if you can provide a minimal example configuration.nix that reproduces the issue I can help you debug :)

[goodwillcoding]

@domenkozar I'll try to reproduce the issue sometime later this week. However, I wonder more in nm-openvpn user and group should have their ids in id.nix. Thoughts on that?

[ThomasMader]

I have the same problem.
@domenkozar My configuration is pretty small and you might be able to reproduce the problem. For me it happens when I try to sudo from my user account "thomad" it happens that nm-openvpn user is used for the sudo and so I can't sudo at all.

https://github.com/ThomasMader/configuration/blob/master/configuration.nix

[domenkozar]

Sorry I won't have time to help debug this anytime soon, if someone is willing to dig in and provide more information what's going on, it would help

[goodwillcoding]

@domenkozar ... I am pretty sure I know what is going on and I described it in the comment above: #11317 (comment)

Just let me know if you think the fix is ok:

nm-openvpn user and group should have their own ids/gids in ids.nix. If that is the case I will be happy to do a PR, please advise on the following though: do you want 2 PRs, one against master and one against release-15.09. Also do you want me to reflect the change in release notes somewhere.

[zimbatm]

Does nm-openvpn have to run under it's own user ? ^^ got a fix here

[domenkozar]

That's the first thing that comes to mind, but really we should have a general fix as ids shouldn't collide.

[goodwillcoding]

@zimbatm it seems it does: Issue #10689

[goodwillcoding]

This is the relevant upstream commit: https://mail.gnome.org/archives/commits-list/2015-June/msg00321.html

Not really sure if the user/group can be nobody/nobody though

[zimbatm]

Maybe uid and gid should be made mandatory, I don't think that automatically assigning them is going to be stable when the set of users changes.

There is a check here in the code that verifies that all ids are unique, but it filters-out the nulls: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/users-groups.nix#L347-L358