Bug 498465
Summary: | adduser created user with the next available UID for ALL domains but should do from LOCAL only | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Michal Nowak <mnowak> |
Component: | shadow-utils | Assignee: | Peter Vrabec <pvrabec> |
Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 11 | CC: | ohudlick, pvrabec, sgallagh, tmraz |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2010-06-28 12:17:32 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Michal Nowak
2009-04-30 15:57:31 UTC
What we discovered was that adduser will create a user whose userid is one greater than the highest UID returned by any domain in the NSS passwd databases. This poses a problem in an SSSD-enabled world, where we have distinct ranges for what constitutes a valid NSS domain. For example, users 500-10000 might be reserved for /etc/passwd, users 10001-30000 might be reserved for NIS and 30001-100000 might be reserved for LDAP users. If an admin creates a new userID in such a system, allowing it to choose the default, it would naturally pick a UID in the range of the highest UID domain. Furthermore, this is a problem in a non-SSSD world where LDAP or NIS is in play, because if the remote server does not enable full enumeration, it's possible for adduser to create a new user whose UID matches that of a network user who has simply not been queried before on the machine. The appropriate behaviour (in my opinion) would be to either disallow automatic UID generation entirely (or at least warn loudly), or else restrict it to only the contents of /etc/passwd. I suggest to use UID_MIN/UID_MAX and GID_MIN/GID_MAX variables in /etc/login.defs. # useradd -u 10300 velky # id velky uid=10300(velky) gid=10300(velky) groups=10300(velky) # vim /etc/login.defs ... "set up UID_MAX and GID_MAX" ... # useradd maly # id maly uid=525(maly) gid=525(maly) groups=525(maly) Are you fine with this solution? What should be the range for local users? hey Stephen, it would be good to push this now in early stage of F12. I would also change lower UID limit from 500 to 1000, as it is in other distros/upstream. But there is need for some consensus. Maybe email on fedora-devel. This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle. Changing version to '11'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This message is a reminder that Fedora 11 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 11. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '11'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 11's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 11 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |