[Bug 644632] Re: nssldap-update-ignoreusers needs to be configurable to ignore users

Jamie Strandboge jamie at ubuntu.com
Tue Apr 19 13:43:13 UTC 2011 

The problem with the patch as written is that while 'users' gets updated correctly with this line:
users=`awk -v min="$MIN" -v okuser="$OKUSERS" -F: 'BEGIN{split(okuser,a,/,/);for (i in a) b[a[i]]} ($3 < min) && !($1 in b){printf "%s%s",s,$1;s=","}' /etc/passwd`

'users' is immediately updated after this however to merge what was in
nss_initgroups_ignoreusers before and what is currently in 'users', so
because 'uucp,www-data' was in nss_initgroups_ignoreusers before running
nssldap-update-ignoreusers, it gets merged back in.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/644632

Title:
  nssldap-update-ignoreusers needs to be configurable to ignore users

Status in “libnss-ldap” package in Ubuntu:
  New

Bug description:
  Binary package hint: libnss-ldap

  # lsb_release -rd
  Description:    Ubuntu 10.04.1 LTS
  Release:        10.04

  # apt-cache policy libnss-ldap
  libnss-ldap:
    Installed: 264-2ubuntu2
    Candidate: 264-2ubuntu2
    Version table:
   *** 264-2ubuntu2 0
          500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
          100 /var/lib/dpkg/status
       261-2.1ubuntu1 0
          500 http://us.archive.ubuntu.com/ubuntu/ jaunty/main Packages

  Currently, nssldap-update-ignoreusers can only be configured to ignore
  users over a certain numeric UID.  It blindly includes all users less
  than the configured UID.  However, this breaks our setup.  We have
  some system users (namely www-data and www-priv) that are in groups in
  LDAP.  Thus, when you query the 'Subversion' group, you get back a
  list that includes www-priv.  However, if you try to query the groups
  to which www-priv belongs, it fails to return the correct groups
  because it ignores www-priv, thus breaking privileges because the
  system then thinks www-priv is not in the Subversion group.

  The only work around for now is to disable the run of nssldap-update-
  ignoreusers.

  I would work on a patch to facilitate configuring users to *not*
  include in the ignore list if someone will commit to getting the patch
  accepted: we don't really want to maintain our own branch of one file
  in a package. :)

More information about the Ubuntu-sponsors mailing list