Red Hat Bugzilla – Bug 498465
adduser created user with the next available UID for ALL domains but should do from LOCAL only
Last modified: 2014-06-09 07:55:08 EDT
Description of problem:
sssd_test:x:11005:11005:SSSD 1 test user:/home/sssd_test:/bin/bash
So the next created user is this one:
but it should be some thing like:
This prevented SSSD from letting me login to local sshd instance:
dhcp-lab-124 ~ # ssh localhost -l validlocaluser@LEGACYLOCAL
Permission denied, please try again.
Permission denied, please try again.
Because it honors only UID within range ~500-~5000.
sgallagh said on this:
"I think we just found a limitation of the shadow-utils adduser function. It created the user with the next available UID for ALL domains"
Version-Release number of selected component (if applicable):
UID/GID from ALL range
UID/GID from LOCAL range
Believe sgallagh can explain this issue much deeper than me when necessary.
What we discovered was that adduser will create a user whose userid is one greater than the highest UID returned by any domain in the NSS passwd databases.
This poses a problem in an SSSD-enabled world, where we have distinct ranges for what constitutes a valid NSS domain. For example, users 500-10000 might be reserved for /etc/passwd, users 10001-30000 might be reserved for NIS and 30001-100000 might be reserved for LDAP users.
If an admin creates a new userID in such a system, allowing it to choose the default, it would naturally pick a UID in the range of the highest UID domain.
Furthermore, this is a problem in a non-SSSD world where LDAP or NIS is in play, because if the remote server does not enable full enumeration, it's possible for adduser to create a new user whose UID matches that of a network user who has simply not been queried before on the machine.
The appropriate behaviour (in my opinion) would be to either disallow automatic UID generation entirely (or at least warn loudly), or else restrict it to only the contents of /etc/passwd.
I suggest to use UID_MIN/UID_MAX and GID_MIN/GID_MAX variables in /etc/login.defs.
# useradd -u 10300 velky
# id velky
uid=10300(velky) gid=10300(velky) groups=10300(velky)
# vim /etc/login.defs
"set up UID_MAX and GID_MAX"
# useradd maly
# id maly
uid=525(maly) gid=525(maly) groups=525(maly)
Are you fine with this solution?
What should be the range for local users?
hey Stephen, it would be good to push this now in early stage of F12. I would also change lower UID limit from 500 to 1000, as it is in other distros/upstream. But there is need for some consensus. Maybe email on fedora-devel.
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.
More information and reason for this action is here:
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '11'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 11's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 11 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.