os/user: query systemd’s User/Group Record Lookup API in non-cgo environments before parsing /etc/passwd? #38810

stapelberg · 2020-05-02T15:21:59Z

I recently learnt about systemd’s “User/Group Record Lookup API via Varlink”.

It’s a new service introduced by systemd v245 (released March 6th 2020) which can take the role of getpwnam(3) and related calls.

We could consider this as an option for os/user, which currently integrates with Name Service Switch (NSS) only when cgo is available. In non-cgo environments, we could try querying systemd-userdbd.service(8) before falling back to the current behavior of parsing /etc/passwd.

There are two possible ways to query the service:

Parsing userdbctl --output=json. The upside is that userdbctl itself queries NSS if systemd-userdbd is not working. The downside is that we are relying on an external process. I’m not sure how this is regarded in the standard library, and whether overhead of os/user is of concern?
If we wanted to avoid the process overhead, we could integrate with systemd-userdbd directly. I implemented a <100-line proof of concept which prints just the user name. The User/Group Record Lookup API uses a subset of varlink, which boils down to sending and receiving 0-terminated JSON messages over a Unix socket.

Appendix:

userdbctl --output=json Output

{ "userName" : "root", "uid" : 0, "gid" : 0, "homeDirectory" : "/root", "shell" : "/bin/zsh", "privileged" : { "hashedPassword" : [ "$6$wKUquM/L7HzvV5eI$dhexy2iU1efxnYe6k0rm4qT8D1TOgAVtYYyjC5wZeClK.ETeCfPCn0xmwZKK/l8MtzJhtSPTsWEopILQXbA.40" ] }, "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "nobody", "uid" : 65534, "gid" : 65534, "realName" : "Nobody", "homeDirectory" : "/", "shell" : "/bin/nologin", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "systemd-network", "uid" : 983, "gid" : 983, "realName" : "systemd Network Management", "homeDirectory" : "/", "shell" : "/bin/nologin", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "systemd-resolve", "uid" : 982, "gid" : 982, "realName" : "systemd Resolver", "homeDirectory" : "/", "shell" : "/bin/nologin", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "systemd-timesync", "uid" : 981, "gid" : 981, "realName" : "systemd Time Synchronization", "homeDirectory" : "/", "shell" : "/bin/nologin", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "systemd-coredump", "uid" : 980, "gid" : 980, "realName" : "systemd Core Dumper", "homeDirectory" : "/", "shell" : "/bin/nologin", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "systemd-network", "uid" : 101, "gid" : 101, "realName" : "network", "homeDirectory" : "/run/systemd/netif", "shell" : "/bin/false", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "systemd-resolve", "uid" : 105, "gid" : 105, "realName" : "resolve", "homeDirectory" : "/run/systemd/resolve", "shell" : "/bin/false", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "sshd", "uid" : 102, "gid" : 102, "homeDirectory" : "/", "shell" : "/bin/false", "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "messagebus", "uid" : 106, "gid" : 106, "homeDirectory" : "/var/run/dbus", "shell" : "/bin/false", "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "lightdm", "uid" : 979, "gid" : 979, "realName" : "Light Display Manager", "homeDirectory" : "/var/lib/lightdm", "shell" : "/bin/nologin", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } } { "userName" : "polkitd", "uid" : 978, "gid" : 978, "realName" : "PolicyKit Daemon", "homeDirectory" : "/etc/polkit-1", "shell" : "/bin/nologin", "passwordChangeNow" : false, "lastPasswordChangeUSec" : 1588377600000000, "status" : { "12f5c9abd57d4914abe2d5cb4958378b" : { "service" : "io.systemd.NameServiceSwitch" } } }

The text was updated successfully, but these errors were encountered:

ianlancetaylor · 2020-05-02T19:48:25Z

We could also implement LDAP, but we've historically decided not to. What is the use case we're addressing here? Why do programs that use os/user want to avoid using cgo? And should this functionality live in a third party package instead?

stapelberg · 2020-05-02T20:23:13Z

We could also implement LDAP, but we've historically decided not to.

While related, that’s a much different call IMO: here, we implement 1 reasonably small API and get access to all NSS plugins.

What is the use case we're addressing here?
Why do programs that use os/user want to avoid using cgo?

I’m not saying they do.

I’m saying that when disabling cgo for whichever reason, there is a feature disparity in os/user, and we could decide to fix it for some environments. Not sure if that scenario is something we should care about. Just wanted to mention this and see what people think.

And should this functionality live in a third party package instead?

It certainly could. The downside of course is that users then first need to discover that package. I think that instead of having each programmer find out about the os/user behavior and having them pull in a third-party package, it would be nicer if os/user just worked in that scenario.

dmitshur · 2020-05-06T15:44:51Z

Also /cc @bradfitz @kevinburke per owners.

bradfitz · 2020-05-06T16:11:02Z

While related, that’s a much different call IMO: here, we implement 1 reasonably small API and get access to all NSS plugins.

That's a pretty compelling argument, actually.

As for whether we use os/exec: I don't feel strongly either way. Both options involve encoding/json, and the do-it-ourselves way doesn't look super invasive. I'd say do it ourselves if that meant running in more environments or if it was a hot path, but I can't imagine any environment that wouldn't have userdbctl but would have systemd, and I can't imagine this being too hot.

stapelberg · 2020-05-06T18:50:16Z

Cool! Does someone want to send a CL, or should I give it a shot when I find a minute?

stapelberg · 2020-05-28T07:00:29Z

Looks like nobody wants to race me to it, so I’ll give it a shot over the weekend.

stapelberg · 2020-09-12T20:34:49Z

Here’s how far I have come so far: stapelberg@87fae81

I’ll try and spend a few more minutes on turning this into a Gerrit CL for proper review next week.

stapelberg · 2020-09-21T13:57:17Z

Sent the corresponding CL: https://go-review.googlesource.com/c/go/+/256218

gopherbot · 2022-12-25T19:01:59Z

Change https://go.dev/cl/459455 mentions this issue: os/user: lookup Linux users and groups via systemd userdb

Otherwise fall back to parsing /etc/passwd, etc. Co-authored-by: Ananth Bhaskararaman <antsub@gmail.com> Co-authored-by: Michael Stapelberg <stapelberg@google.com> Fixes golang#38810

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

Otherwise fall back to parsing /etc/passwd, etc. Co-authored-by: Ananth Bhaskararaman <antsub@gmail.com> Co-authored-by: Michael Stapelberg <stapelberg@google.com> Fixes golang#38810

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

Fetch usernames and groups via systemd userdb if available. Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ianlancetaylor · 2023-03-24T00:08:33Z

CL was reverted.

gopherbot · 2023-03-24T05:51:43Z

Change https://go.dev/cl/478896 mentions this issue: os/user: lookup Linux users and groups via systemd-userdb

dmitshur added this to the Backlog milestone May 6, 2020

dmitshur added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label May 6, 2020

poettering mentioned this issue Nov 23, 2022

Tests and fixes for json output in bootctl and userdbctl systemd/systemd#25401

Open

wizardishungry mentioned this issue Dec 24, 2022

os/user User.Current() fails on Linux user accounts created by systemd-homed #57454

Closed

This was referenced Dec 24, 2022

Panics when user is created by systemd-homed probonopd/go-appimage#238

Closed

os/user: lookup Linux users and groups via systemd userdb #57458

Closed

ananthb added a commit to ananthb/go that referenced this issue Jan 3, 2023

Fetch usernames and groups via systemd userdb if available.

fdae8cc

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 3, 2023

Fetch usernames and groups via systemd userdb if available.

1b841d2

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 3, 2023

Fetch usernames and groups via systemd userdb if available.

e326437

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 3, 2023

Fetch usernames and groups via systemd userdb if available.

a53b007

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 3, 2023

Fetch usernames and groups via systemd userdb if available.

9c01b7c

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 3, 2023

Fetch usernames and groups via systemd userdb if available.

e286898

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 7, 2023

Fetch usernames and groups via systemd userdb if available.

0af2f6f

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 7, 2023

Fetch usernames and groups via systemd userdb if available.

384a589

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 7, 2023

Fetch usernames and groups via systemd userdb if available.

443c24e

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 7, 2023

Fetch usernames and groups via systemd userdb if available.

37b5bc0

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 7, 2023

Fetch usernames and groups via systemd userdb if available.

999c18c

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

ananthb added a commit to ananthb/go that referenced this issue Jan 7, 2023

Fetch usernames and groups via systemd userdb if available.

66df3fa

Otherwise fall back to parsing /etc/passwd, etc. Fixes golang#38810 Co-authored-by: Michael Stapelberg <stapelberg@google.com>

gopherbot closed this as completed in 1596d71 Mar 23, 2023

ianlancetaylor reopened this Mar 24, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

os/user: query systemd’s User/Group Record Lookup API in non-cgo environments before parsing /etc/passwd? #38810

os/user: query systemd’s User/Group Record Lookup API in non-cgo environments before parsing /etc/passwd? #38810

stapelberg commented May 2, 2020

ianlancetaylor commented May 2, 2020

stapelberg commented May 2, 2020

dmitshur commented May 6, 2020

bradfitz commented May 6, 2020

stapelberg commented May 6, 2020

stapelberg commented May 28, 2020

stapelberg commented Sep 12, 2020

stapelberg commented Sep 21, 2020

gopherbot commented Dec 25, 2022

ianlancetaylor commented Mar 24, 2023

gopherbot commented Mar 24, 2023

os/user: query systemd’s User/Group Record Lookup API in non-cgo environments before parsing /etc/passwd? #38810

os/user: query systemd’s User/Group Record Lookup API in non-cgo environments before parsing /etc/passwd? #38810

Comments

stapelberg commented May 2, 2020

ianlancetaylor commented May 2, 2020

stapelberg commented May 2, 2020

dmitshur commented May 6, 2020

bradfitz commented May 6, 2020

stapelberg commented May 6, 2020

stapelberg commented May 28, 2020

stapelberg commented Sep 12, 2020

stapelberg commented Sep 21, 2020

gopherbot commented Dec 25, 2022

ianlancetaylor commented Mar 24, 2023

gopherbot commented Mar 24, 2023