Skip to content

Comments

nixos/users-groups: Enforce ASCII usernames and fix repeated doubling of activation script runtime#385904

Merged
infinisil merged 2 commits intoNixOS:masterfrom
tweag:non-standard-usernames
Mar 19, 2025
Merged

nixos/users-groups: Enforce ASCII usernames and fix repeated doubling of activation script runtime#385904
infinisil merged 2 commits intoNixOS:masterfrom
tweag:non-standard-usernames

Conversation

@infinisil
Copy link
Member

@infinisil infinisil commented Feb 28, 2025
edited
Loading

I unsuccessfully tried to specify a non-ascii username, all kinds of things broke, so I undid that. Only a bit later I'm running into a very weird problem: The NixOS activation script is taking ~twice as long to finish every time its run, now up to ~10 minutes!

After debugging, I figured out that it's taking so long to decode the /var/lib/nixos/auto-subuid-map, which has grown to 24MB! Turns out, the users-groups script has been doubly-encoding that file as UTF-8, while only singly-decoding it. While this works fine if it's just ASCII, this leads to an exponential explosion for anything else. Here's a demo of this:

#!/usr/bin/env perl

use utf8;
use File::Slurp;
use JSON;

my $file = "/tmp/perl-encoding-test";
my $content = "\n";

sub run {
    print $content;
    # Both write_file and encode_json take care of encoding to UTF-8,
    # so this doubly-encodes as UTF-8!
    # Should be without the binmode, or to_json alternatively
    write_file($file, { binmode => ':utf8' }, encode_json($content));
    $content = decode_json(read_file($file));
}

run();
run();
run();
run();
$ nix-shell -p 'perl.withPackages (p: [ p.FileSlurp p.JSON ])' --run 'perl -CS ./test.pl'
猫
�
�
�§���«

In addition to avoiding this double encoding, this PR also adds an assertion to ensure that users.users.*.name only matches what shadow considers valid, to save the trouble of users running into other issues with weird usernames.

Note that Ubuntu by default limits usernames to the more strict [a-z][-a-z0-9_]*, but that would break some configs.1

Ping @adisbladis who originally introduced the code and @Mic92 who did some other UTF-8 fixes in the script.

Things done

  • Ran the patched activation script on my system and checked that non-ascii characters in /var/lib/nixos/auto-subuid-map don't get elongated anymore.
  • Set users.users."猫" and ensured that an assertion is thrown: 
    Failed assertions:
- The username "猫" is not valid, it does not match the regex "[a-zA-Z0-9_.][a-zA-Z0-9_.-]*".

This work is funded by Antithesis and Tweag

Add a 👍 reaction to pull requests you find important.

Footnotes

  1. 1 2 3

@infinisil
nixos/user-groups: Don't double-UTF8-encode subUidMapFile
8181d2a 
Because with it only being single-UTF8-decoded, this lead to the file
~doubling in size whenever it contained any non-ascii characters!
@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Feb 28, 2025
SuperSandro2000
SuperSandro2000 reviewed Feb 28, 2025
View reviewed changes
@SuperSandro2000
Copy link
Member

SuperSandro2000 commented Feb 28, 2025

The rabbit hole calls 😂 Good that you dug that up!

@infinisil
nixos/users-groups: Catch invalid usernames early
b602f86 
Prevents running into the problem from the parent commit in the first
place.
@infinisil infinisil force-pushed the non-standard-usernames branch from ad97b6d to b602f86 Compare February 28, 2025 21:34
@keysmashes
Copy link
Contributor

keysmashes commented Feb 28, 2025

"Enforce non-ASCII usernames" in the PR title seems like the opposite of the goal :p

@infinisil infinisil changed the title nixos/users-groups: Enforce non-ASCII usernames and fix repeated doubling of activation script runtime nixos/users-groups: Enforce ASCII usernames and fix repeated doubling of activation script runtime Feb 28, 2025
@wegank wegank added the 12.approvals: 1 This PR was reviewed and approved by one person. label Mar 1, 2025
@infinisil
Copy link
Member Author

infinisil commented Mar 13, 2025

Would anybody like to merge this? I'd rather avoid self-merges if possible :)

@infinisil infinisil merged commit 4f6e508 into NixOS:master Mar 19, 2025
36 checks passed
@infinisil infinisil deleted the non-standard-usernames branch March 19, 2025 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SuperSandro2000 SuperSandro2000 SuperSandro2000 approved these changes

Assignees

No one assigned

Labels

6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 12.approvals: 1 This PR was reviewed and approved by one person.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@infinisil @SuperSandro2000 @keysmashes @wegank