update-passwd ignores LDAP and other NSS sources
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
base-passwd (Ubuntu) |
Triaged
|
High
|
Unassigned |
Bug Description
Binary package hint: base-passwd
The update-passwd tool does not seem to respect groups defined in databases other than /etc/group. I recently upgraded a Lucid system, and got this message
----
Setting up base-passwd (3.5.22) ...
update-passwd has found some differences between your system accounts
and the current Debian defaults. It is advisable to allow update-passwd
to change your system; without those changes some packages might not work
correctly. For more documentation on the Debian account policies please
see /usr/share/
The list of proposed changes is:
Adding group "cdrom" (24)
Adding group "video" (44)
Would commit 2 changes
It is highly recommended that you allow update-passwd to make these changes
(a backup file of modified files is made with the extension .org so you can
always restore the current settings).
May I update your system? [Y/n]
----
I opened another terminal, and ran a couple of perl one-liners:
----
sauer@stinky:~$ perl -le 'print scalar getgrnam(cdrom)'
24
sauer@stinky:~$ perl -le 'print scalar getgrnam(video)'
44
----
The perl commands had reasonable output given that the cdrom group is defined in LDAP, which is where I manage a whole bunch of users and groups for a group of systems:
----
sauer@stinky:~$ grep -w group /etc/nsswitch.conf
# pre_auth-
group: files ldap
sauer@stinky:~$ ldapsearch -x cn=cdrom | grep -v -e ^# -e ^$
dn: cn=cdrom,
objectClass: posixGroup
objectClass: top
cn: cdrom
gidNumber: 24
memberUid: haldaemon
memberUid: sauer
memberUid: mythtv
search: 2
result: 0 Success
----
I need to add LDAP users to some of these groups, and I don't want to do so by editing individual group files on all the boxes. This is why I *have* LDAP. :) As such, it would be nice if the update-passwd program would use the libc calls to see if groups are defined, rather than just blindly working on the files.
This is also a marginal security issue, as it's possible that someone could have a different name-id mapping in their repository v/s the passwd or group file for a system account. Since most remote-database (AD, LDAP, NIS, etc.) allow local files to override the remote repository, but Linux NSS merges the two repositories (depending on the program), it's possible that someone could end up being granted access that they're not supposed to have when a local group is manipulated. As these are the lower-level system groups, it seems worthwhile to be as safe as possible when handling them. :)
security vulnerability: | yes → no |
visibility: | private → public |
summary: |
- update-passwd igonres ldap + update-passwd ignores LDAP and other NSS sources |
Changed in base-passwd (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Hopefully someone can correct my spelling of "ignores". :) And probably change LDAP to NSS... Sigh.