Red Hat Bugzilla – Bug 461656
Require creating a user for systems without network auth and without existing users
Last modified: 2015-01-14 18:21:49 EST
We'd like to be able to disable root logins from GDM. However, this is difficult to do if it is possible to go through firstboot without creating a user.
So, I propose that we require creating a user unless a) there is already one uid above 500 on the system OR b) the user has configured authentication mechanisms.
Will attach a patch that seems to work from some light testing.
Created attachment 316239 [details]
It seems to me that a simpler patch is to just check that self.admin.getFirstUnusedUid() > 500, since system users could also have the 65535 UID as well. I've made this modification and pushed so it can be fixed in the next build of firstboot. Thanks for the patch.
I thought about that but I don't think it is correct. For example, in my case I have one user uid=730. This is often the case when someone wants to keep uids in sync across multiple machines. Maybe a corner case though.
*** Bug 464026 has been marked as a duplicate of this bug. ***
The corner case from William McCann is one the I am in, as I use my Fedora machine to interface with machines at work and it is convenient to have the UIDs line up. It is possible, of course, to create a temporary ID in firstboot and later remove it, but it would be rather annoying.
Setting release notes flag since this is a pretty visible (post beta) change, that people are going to notice.
Thanks for the heads up; I happen to be doing the final XML conversion on the release notes (still) so am able to slip this one in after the content freeze. The following snippet appears at the end of the section "Installation notes":
<title>Firstboot requires creation of non-root user</title>
<para>The <application>Firstboot</application> application requires
the creation of a non-root user for the system. This is to
support <systemitem class="daemon">gdm</systemitem> no longer
allowing the root user to log in to the graphical desktop.</para>
<para>If a network authentication mechanism is chosen during
installation <application>Firstboot</application> does not require
creating a that does not use local user.</para>
Removing release notes flag.