[Bug 712710] Re: update-passwd ignores LDAP and other NSS sources

Colin Watson cjwatson at canonical.com
Tue Jan 14 11:07:21 UTC 2014 

** Summary changed:

- update-passwd igonres ldap
+ update-passwd ignores LDAP and other NSS sources

** Changed in: base-passwd (Ubuntu)
       Status: New => Triaged

** Changed in: base-passwd (Ubuntu)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to base-passwd in Ubuntu.
https://bugs.launchpad.net/bugs/712710

Title:
  update-passwd ignores LDAP and other NSS sources

Status in “base-passwd” package in Ubuntu:
  Triaged

Bug description:
  Binary package hint: base-passwd

  The update-passwd tool does not seem to respect groups defined in
  databases other than /etc/group.  I recently upgraded a Lucid system,
  and got this message

  ----
  Setting up base-passwd (3.5.22) ...

  update-passwd has found some differences between your system accounts
  and the current Debian defaults. It is advisable to allow update-passwd
  to change your system; without those changes some packages might not work
  correctly.  For more documentation on the Debian account policies please
  see /usr/share/doc/base-passwd/README.

  The list of proposed changes is:

  Adding group "cdrom" (24)
  Adding group "video" (44)
  Would commit 2 changes

  It is highly recommended that you allow update-passwd to make these changes
  (a backup file of modified files is made with the extension .org so you can
  always restore the current settings).

  May I update your system? [Y/n]
  ----

  I opened another terminal, and ran a couple of perl one-liners:

  ----
  sauer at stinky:~$ perl -le 'print scalar getgrnam(cdrom)'
  24
  sauer at stinky:~$ perl -le 'print scalar getgrnam(video)'
  44
  ----

  The perl commands had reasonable output given that the cdrom group is
  defined in LDAP, which is where I manage a whole bunch of users and
  groups for a group of systems:

  ----
  sauer at stinky:~$ grep -w group /etc/nsswitch.conf 
  # pre_auth-client-config # group:          compat
  group: files ldap
  sauer at stinky:~$ ldapsearch -x cn=cdrom | grep -v -e ^# -e ^$
  dn: cn=cdrom,ou=Group,dc=cloudmaster,dc=com
  objectClass: posixGroup
  objectClass: top
  cn: cdrom
  gidNumber: 24
  memberUid: haldaemon
  memberUid: sauer
  memberUid: mythtv
  search: 2
  result: 0 Success
  ----

  I need to add LDAP users to some of these groups, and I don't want to
  do so by editing individual group files on all the boxes.  This is why
  I *have* LDAP. :) As such, it would be nice if the update-passwd
  program would use the libc calls to see if groups are defined, rather
  than just blindly working on the files.

  This is also a marginal security issue, as it's possible that someone
  could have a different name-id mapping in their repository v/s the
  passwd or group file for a system account.  Since most remote-database
  (AD, LDAP, NIS, etc.) allow local files to override the remote
  repository, but Linux NSS merges the two repositories (depending on
  the program), it's possible that someone could end up being granted
  access that they're not supposed to have when a local group is
  manipulated.  As these are the lower-level system groups, it seems
  worthwhile to be as safe as possible when handling them. :)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/base-passwd/+bug/712710/+subscriptions

More information about the foundations-bugs mailing list