Description of problem: Since shadow-utils-4.9-5.fc35, new users created through gnome-control-center are missing files that should've been copied from /etc/skel. That means they don't have .bashrc and similar, i.e. no PS1 variable etc. Users created through adduser are fine. shadow-utils-4.9-4.fc35 worked OK even with gnome-control-center, it's -5 that broke it. With shadow-utils-4.9-4.fc35, a newly created user through gnome-control-center contains: # tree -a /home/tester /home/tester ├── .bash_logout ├── .bash_profile ├── .bashrc └── .mozilla ├── extensions └── plugins With shadow-utils-4.9-5.fc35 (or -6), a newly created user through gnome-control-center contains: # tree -a /home/tester /home/tester └── .mozilla Current contents of /etc/skel: # tree -a /etc/skel /etc/skel ├── .bash_logout ├── .bash_profile ├── .bashrc └── .mozilla ├── extensions └── plugins Can you please consider this as a bug with the utmost priority? Currently this is broken for all Fedora users, because shadow-utils-4.9-5.fc35 is already in stable updates. That means everyone who creates a new users gets it with a broken (incomplete) profile, and it will not fix itself after this bug is resolved. So we need to push the fix to stable updates ASAP, so that as few users as possible are affected. Thanks! Version-Release number of selected component (if applicable): gnome-control-center-41.1-1.fc35.x86_64 working: shadow-utils-4.9-3.fc35 shadow-utils-4.9-4.fc35 broken: shadow-utils-4.9-5.fc35 shadow-utils-4.9-6.fc35 How reproducible: always Steps to Reproduce: 1. open gnome-control-center -> Users 2. create a new standard user "tester" 3. sudo ls -a /home/tester Actual results: most files from /etc/skel are missing Expected results: all files from /etc/skel are present
I'm working on it. If you could provide the logs from /var/log/messages and /var/log/secure that would be really helpful.
Created attachment 1841420 [details] journal There is no /var/log/{messages,secure}. I'm attaching `journalctl -b` output instead.
$ grep tester journal.txt Nov 12 11:53:20 f35 accounts-daemon[696]: request by system-bus-name::1.145 [gnome-control-center pid:2528 uid:1000]: create user 'tester' Nov 12 11:53:20 f35 useradd[2637]: new group: name=tester, GID=1001 Nov 12 11:53:20 f35 audit[2637]: ADD_GROUP pid=2637 uid=0 auid=1000 ses=4 subj=system_u:system_r:useradd_t:s0 msg='op=add-group acct="tester" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success' Nov 12 11:53:20 f35 useradd[2637]: new user: name=tester, UID=1001, GID=1001, home=/home/tester, shell=/bin/bash, from=none Nov 12 11:53:20 f35 audit[2637]: ADD_USER pid=2637 uid=0 auid=1000 ses=4 subj=system_u:system_r:useradd_t:s0 msg='op=add-user acct="tester" exe="/usr/sbin/useradd" hostname=? addr=? terminal=? res=success' Nov 12 11:53:20 f35 accounts-daemon[2637]: useradd: setting attribute security.selinux for /home/tester/.mozilla: Permission denied Nov 12 11:53:20 f35 accounts-daemon[696]: request by system-bus-name::1.145 [gnome-control-center pid:2528 uid:1000]: change password mode of user 'tester' (1001) to 1 Nov 12 11:53:20 f35 accounts-daemon[2652]: Removing password for user tester. Nov 12 11:53:20 f35 chage[2653]: changed password expiry for tester
This problem doesn't occur when SELinux is changed to Permissive mode, even with latest shadow-utils. So this seems clearly SELinux-related. From the journal: $ grep -i avc journal.txt Nov 12 11:53:20 f35 audit[2640]: AVC avc: denied { setgid } for pid=2640 comm="sss_cache" capability=6 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0 Nov 12 11:53:20 f35 audit[2640]: AVC avc: denied { setgid } for pid=2640 comm="sss_cache" capability=6 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0 Nov 12 11:53:20 f35 audit[2643]: AVC avc: denied { setgid } for pid=2643 comm="sss_cache" capability=6 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0 Nov 12 11:53:20 f35 audit[2643]: AVC avc: denied { setgid } for pid=2643 comm="sss_cache" capability=6 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:system_r:useradd_t:s0 tclass=capability permissive=0 Nov 12 11:53:20 f35 audit[2637]: AVC avc: denied { relabelto } for pid=2637 comm="useradd" name=".mozilla" dev="vda2" ino=986 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
When I try to add the user using gnome the home directory is empty and I get the following error in /var/log/messages: Nov 12 11:33:17 fedora audit[10205]: AVC avc: denied { relabelto } for pid=10205 comm="useradd" name=".mozilla" dev="sda2" ino=9136 scontext=system_u:system_r:useradd_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0 Nov 12 11:33:17 fedora accounts-daemon[10205]: useradd: setting attribute security.selinux for /home/testuser2/.mozilla: Permission denied If I do the same with the useradd command the user is created correctly and I don't see an empty home directory. Changing the component to selinux-policy.
My bad, this definitely belongs to shadow-utils.
FEDORA-2021-2709419aea has been submitted as an update to Fedora 35. https://bodhi.fedoraproject.org/updates/FEDORA-2021-2709419aea
FEDORA-2021-2709419aea has been pushed to the Fedora 35 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-2709419aea` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-2709419aea See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-2709419aea has been pushed to the Fedora 35 stable repository. If problem still persists, please make note of it in this bug report.
Thanks, I verified that this is fixed now.