Bug 498465

Summary: adduser created user with the next available UID for ALL domains but should do from LOCAL only
Product: [Fedora] Fedora Reporter: Michal Nowak <mnowak>
Component: shadow-utilsAssignee: Peter Vrabec <pvrabec>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: 11CC: ohudlick, pvrabec, sgallagh, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-28 12:17:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Nowak 2009-04-30 15:57:31 UTC
Description of problem:

[...]
sssd_test:x:11005:11005:SSSD 1 test user:/home/sssd_test:/bin/bash

So the next created user is this one:

validlocaluser:x:11006:11006::/home/validlocaluser:/bin/bash

but it should be some thing like:

validlocaluser:x:555:555::/home/validlocaluser:/bin/bash


This prevented SSSD from letting me login to local sshd instance:

dhcp-lab-124 ~ # ssh localhost -l validlocaluser@LEGACYLOCAL
validlocaluser@LEGACYLOCAL@localhost's password: 
Permission denied, please try again.
validlocaluser@LEGACYLOCAL@localhost's password: 
Permission denied, please try again.
validlocaluser@LEGACYLOCAL@localhost's password: 

Because it honors only UID within range ~500-~5000.

--
sgallagh said on this: 
"I think we just found a limitation of the shadow-utils adduser function. It created the user with the next available UID for ALL domains"


Version-Release number of selected component (if applicable):

sssd-0.3.2-2.fc11.x86_64
shadow-utils-4.1.2-13.fc11.x86_64

How reproducible:

always

Actual results:

UID/GID from ALL range

Expected results:

UID/GID from LOCAL range

Additional info:

https://fedorahosted.org/sssd/wiki/Fedora_11_Test_Day/PAM_Local_Legacy
https://fedoraproject.org/wiki/Test_Day:2009-04-30_SSSD#NSS_Tests


--
Believe sgallagh can explain this issue much deeper than me when necessary.

Comment 1 Stephen Gallagher 2009-04-30 16:15:33 UTC
What we discovered was that adduser will create a user whose userid is one greater than the highest UID returned by any domain in the NSS passwd databases.

This poses a problem in an SSSD-enabled world, where we have distinct ranges for what constitutes a valid NSS domain. For example, users 500-10000 might be reserved for /etc/passwd, users 10001-30000 might be reserved for NIS and 30001-100000 might be reserved for LDAP users.

If an admin creates a new userID in such a system, allowing it to choose the default, it would naturally pick a UID in the range of the highest UID domain.

Furthermore, this is a problem in a non-SSSD world where LDAP or NIS is in play, because if the remote server does not enable full enumeration, it's possible for adduser to create a new user whose UID matches that of a network user who has simply not been queried before on the machine.

The appropriate behaviour (in my opinion) would be to either disallow automatic UID generation entirely (or at least warn loudly), or else restrict it to only the contents of /etc/passwd.

Comment 2 Peter Vrabec 2009-05-04 12:52:15 UTC
I suggest to use UID_MIN/UID_MAX and GID_MIN/GID_MAX variables in /etc/login.defs.

# useradd -u 10300 velky
# id velky
uid=10300(velky) gid=10300(velky) groups=10300(velky)
# vim /etc/login.defs
...
"set up UID_MAX and GID_MAX"
...
# useradd maly
# id maly
uid=525(maly) gid=525(maly) groups=525(maly)

Are you fine with this solution? 
What should be the range for local users?

Comment 3 Peter Vrabec 2009-05-07 09:02:58 UTC
hey Stephen, it would be good to push this now in early stage of F12. I would also change lower UID limit from 500 to 1000, as it is in other distros/upstream. But there is need for some consensus. Maybe email on fedora-devel.

Comment 4 Bug Zapper 2009-06-09 14:54:01 UTC
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 5 Bug Zapper 2010-04-27 14:01:52 UTC
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Comment 6 Bug Zapper 2010-06-28 12:17:32 UTC
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.