Red Hat Bugzilla – Bug 1283675
The kdcproxy user should be created in rpm installation time, and ideally with some soft static uid
Last modified: 2018-02-06 14:48:35 EST
Description of problem:
When ipa-server-install is run, records
kdcproxy:x:388:388:IPA KDC Proxy User:/var/lib/kdcproxy:/sbin/nologin
get created in /etc/passwd and /etc/group.
It'd be useful if the user was created at rpm installation time, per
or even using soft static allocation.
On every system the uid/gid might be different, leading to potential leak when for example in containers data volumes get used with different images.
In understand the kdcproxy user currently does not own any files besides its home directory /var/lib/kdcproxy but it might change (the wsgi application can start storing cache files, etc).
Version-Release number of selected component (if applicable):
# rpm -qf /usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py
Steps to Reproduce:
1. Check /etc/passwd.
2. Run ipa-server-install.
3. Check /etc/passwd.
New record was created.
No new record was created because it was already there.
Christian, you already worked on issue related to kdcproxy proxy user. What was the result? Is it connected?
Note that the same applies to the sssd and dirsrv users, which are created during ipa-server-install as well. The dirsrv user is created by us, but I don't know who creates the sssd user. Maybe authconfig?
(In reply to Jan Cholasta from comment #2)
> Note that the same applies to the sssd and dirsrv users, which are created
> during ipa-server-install as well. The dirsrv user is created by us, but I
> don't know who creates the sssd user. Maybe authconfig?
The sssd user comes from sssd-common -- bug 1265099 tracks the soft allocation aspect.
The dirsrv soft allocation is in bug 1143066.
I propose soft-allocated uid/git 288 which according to /usr/share/doc/setup/uidgid from setup-2.9.8-2.fc23.noarch is free.