You have been subscribed to a public bug by Kees Cook (kees):
Binary package hint: base-passwd
The update-passwd tool does not seem to respect groups defined in
databases other than /etc/group. I recently upgraded a Lucid system,
and got this message
----
Setting up base-passwd (3.5.22) ...
update-passwd has found some differences between your system accounts
and the current Debian defaults. It is advisable to allow update-passwd
to change your system; without those changes some packages might not work
correctly. For more documentation on the Debian account policies please
see /usr/share/doc/base-passwd/README.
The list of proposed changes is:
Adding group "cdrom" (24)
Adding group "video" (44)
Would commit 2 changes
It is highly recommended that you allow update-passwd to make these changes
(a backup file of modified files is made with the extension .org so you can
always restore the current settings).
May I update your system? [Y/n]
----
I opened another terminal, and ran a couple of perl one-liners:
----
sauer@stinky:~$ perl -le 'print scalar getgrnam(cdrom)'
24
sauer@stinky:~$ perl -le 'print scalar getgrnam(video)'
44
----
The perl commands had reasonable output given that the cdrom group is
defined in LDAP, which is where I manage a whole bunch of users and
groups for a group of systems:
----
sauer@stinky:~$ grep -w group /etc/nsswitch.conf
# pre_auth-client-config # group: compat
group: files ldap
sauer@stinky:~$ ldapsearch -x cn=cdrom | grep -v -e ^# -e ^$
dn: cn=cdrom,ou=Group,dc=cloudmaster,dc=com
objectClass: posixGroup
objectClass: top
cn: cdrom
gidNumber: 24
memberUid: haldaemon
memberUid: sauer
memberUid: mythtv
search: 2
result: 0 Success
----
I need to add LDAP users to some of these groups, and I don't want to do
so by editing individual group files on all the boxes. This is why I
*have* LDAP. :) As such, it would be nice if the update-passwd program
would use the libc calls to see if groups are defined, rather than just
blindly working on the files.
This is also a marginal security issue, as it's possible that someone
could have a different name-id mapping in their repository v/s the
passwd or group file for a system account. Since most remote-database
(AD, LDAP, NIS, etc.) allow local files to override the remote
repository, but Linux NSS merges the two repositories (depending on the
program), it's possible that someone could end up being granted access
that they're not supposed to have when a local group is manipulated. As
these are the lower-level system groups, it seems worthwhile to be as
safe as possible when handling them. :)
** Affects: base-passwd (Ubuntu)
Importance: Undecided
Status: New
--
update-passwd igonres ldap
https://bugs.launchpad.net/bugs/712710
You received this bug notification because you are a member of Ubuntu Bugs,
which is a direct subscriber.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
