[opensuse-packaging] Best way to fix user filtering in accountsservice?
Hi, accountsservice is the service used in GNOME to get info about accounts on the system. The latest release change the way user filtering works. See https://bugs.freedesktop.org/show_bug.cgi?id=44408 Quick summary: - before 0.16.6: we were filtering out users based on UID (do not show users if uid < UID_MIN, where UID_MIN icomes from /etc/login.defs) - now: we're filtering out users based on the shell (nologin & false are hidden) On top of that, we have a blacklist of users to never show. That sounds reasonable except that now I see users in gdm, while they should be filtered out. Those are: ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash suse-ncc:x:106:108:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash beagleindex:x:108:111:User for Beagle indexing:/var/cache/beagle:/bin/bash I guess ftp, games and man are provided by some base package. Is there any reason those are using bash as shell instead of nologin? Can we fix this? Or should we just blacklist them? It's harder for suse-ncc and beagleindex as, as far as I know, those are purely historical users from older versions of openSUSE that are still there after upgrading. So I wonder what the right fix is: should we just blacklist them, or would it be acceptable to change their shell in %post of accountsservice? That last solution sounds wrong to me, but it also might fix other issues in the long term... Thanks, Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Thu, Mar 29, 2012 at 08:55:21AM +0200, Vincent Untz wrote:
Hi,
accountsservice is the service used in GNOME to get info about accounts on the system. The latest release change the way user filtering works. See https://bugs.freedesktop.org/show_bug.cgi?id=44408
Quick summary:
- before 0.16.6: we were filtering out users based on UID (do not show users if uid < UID_MIN, where UID_MIN icomes from /etc/login.defs) - now: we're filtering out users based on the shell (nologin & false are hidden)
On top of that, we have a blacklist of users to never show.
That sounds reasonable except that now I see users in gdm, while they should be filtered out. Those are:
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash suse-ncc:x:106:108:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash beagleindex:x:108:111:User for Beagle indexing:/var/cache/beagle:/bin/bash
I guess ftp, games and man are provided by some base package. Is there any reason those are using bash as shell instead of nologin? Can we fix this? Or should we just blacklist them?
It's harder for suse-ncc and beagleindex as, as far as I know, those are purely historical users from older versions of openSUSE that are still there after upgrading. So I wonder what the right fix is: should we just blacklist them, or would it be acceptable to change their shell in %post of accountsservice? That last solution sounds wrong to me, but it also might fix other issues in the long term...
Absolutely do NOT change shells of other system users. What was wrong with the minimum UID checking? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Le vendredi 30 mars 2012 à 11:15 +0200, Marcus Meissner a écrit :
On Thu, Mar 29, 2012 at 08:55:21AM +0200, Vincent Untz wrote:
Hi,
accountsservice is the service used in GNOME to get info about accounts on the system. The latest release change the way user filtering works. See https://bugs.freedesktop.org/show_bug.cgi?id=44408
Quick summary:
- before 0.16.6: we were filtering out users based on UID (do not show users if uid < UID_MIN, where UID_MIN icomes from /etc/login.defs) - now: we're filtering out users based on the shell (nologin & false are hidden)
On top of that, we have a blacklist of users to never show.
That sounds reasonable except that now I see users in gdm, while they should be filtered out. Those are:
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash suse-ncc:x:106:108:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash beagleindex:x:108:111:User for Beagle indexing:/var/cache/beagle:/bin/bash
I guess ftp, games and man are provided by some base package. Is there any reason those are using bash as shell instead of nologin? Can we fix this? Or should we just blacklist them?
It's harder for suse-ncc and beagleindex as, as far as I know, those are purely historical users from older versions of openSUSE that are still there after upgrading. So I wonder what the right fix is: should we just blacklist them, or would it be acceptable to change their shell in %post of accountsservice? That last solution sounds wrong to me, but it also might fix other issues in the long term...
Absolutely do NOT change shells of other system users.
What was wrong with the minimum UID checking?
https://bugs.freedesktop.org/show_bug.cgi?id=44408 for the discussion about the change. -- Frederic Crozat <fcrozat@suse.com> SUSE -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Fri, Mar 30, 2012 at 11:23:07AM +0200, Frederic Crozat wrote:
Le vendredi 30 mars 2012 à 11:15 +0200, Marcus Meissner a écrit :
On Thu, Mar 29, 2012 at 08:55:21AM +0200, Vincent Untz wrote:
Hi,
accountsservice is the service used in GNOME to get info about accounts on the system. The latest release change the way user filtering works. See https://bugs.freedesktop.org/show_bug.cgi?id=44408
Quick summary:
- before 0.16.6: we were filtering out users based on UID (do not show users if uid < UID_MIN, where UID_MIN icomes from /etc/login.defs) - now: we're filtering out users based on the shell (nologin & false are hidden)
On top of that, we have a blacklist of users to never show.
That sounds reasonable except that now I see users in gdm, while they should be filtered out. Those are:
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash games:x:12:100:Games account:/var/games:/bin/bash man:x:13:62:Manual pages viewer:/var/cache/man:/bin/bash suse-ncc:x:106:108:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bash beagleindex:x:108:111:User for Beagle indexing:/var/cache/beagle:/bin/bash
I guess ftp, games and man are provided by some base package. Is there any reason those are using bash as shell instead of nologin? Can we fix this? Or should we just blacklist them?
It's harder for suse-ncc and beagleindex as, as far as I know, those are purely historical users from older versions of openSUSE that are still there after upgrading. So I wonder what the right fix is: should we just blacklist them, or would it be acceptable to change their shell in %post of accountsservice? That last solution sounds wrong to me, but it also might fix other issues in the long term...
Absolutely do NOT change shells of other system users.
What was wrong with the minimum UID checking?
https://bugs.freedesktop.org/show_bug.cgi?id=44408 for the discussion about the change.
Was it hardcoded in accountservice instead of being read from /etc/login.defs? As the bugzilla thread mentions a hardcoded list of accounts that are filtered, you could just add the two above accounts to this list. Ciao, marcus -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Le vendredi 30 mars 2012, à 11:36 +0200, Marcus Meissner a écrit :
On Fri, Mar 30, 2012 at 11:23:07AM +0200, Frederic Crozat wrote:
Le vendredi 30 mars 2012 à 11:15 +0200, Marcus Meissner a écrit :
On Thu, Mar 29, 2012 at 08:55:21AM +0200, Vincent Untz wrote:
Hi,
accountsservice is the service used in GNOME to get info about accounts on the system. The latest release change the way user filtering works. See https://bugs.freedesktop.org/show_bug.cgi?id=44408
Quick summary:
- before 0.16.6: we were filtering out users based on UID (do not show users if uid < UID_MIN, where UID_MIN icomes from /etc/login.defs) - now: we're filtering out users based on the shell (nologin & false are hidden)
[...]
What was wrong with the minimum UID checking?
https://bugs.freedesktop.org/show_bug.cgi?id=44408 for the discussion about the change.
Was it hardcoded in accountservice instead of being read from /etc/login.defs?
No, it was reading /etc/login.defs. But the man page says: UID_MIN (number) Min user ID value for automatic uid selection in useradd This means this setting can be ignored when creating a user and is not safe to use for filtering.
As the bugzilla thread mentions a hardcoded list of accounts that are filtered, you could just add the two above accounts to this list.
Right, that was one of the options I was suggesting. What about the ftp, games and man users? Is it safe to change their login shell in aaa_base on upgrades? Or should we also just blacklist them? Thanks, Vincent -- Les gens heureux ne sont pas pressés. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Vincent Untz wrote:
[...]
What was wrong with the minimum UID checking?
https://bugs.freedesktop.org/show_bug.cgi?id=44408 for the discussion about the change.
Was it hardcoded in accountservice instead of being read from /etc/login.defs?
No, it was reading /etc/login.defs. But the man page says:
UID_MIN (number) Min user ID value for automatic uid selection in useradd
This means this setting can be ignored when creating a user and is not safe to use for filtering.
I guess Fedora noticed it as they only recently increased the minimum uid? :-)
As the bugzilla thread mentions a hardcoded list of accounts that are filtered, you could just add the two above accounts to this list.
Right, that was one of the options I was suggesting.
What about the ftp, games and man users? Is it safe to change their login shell in aaa_base on upgrades? Or should we also just blacklist them?
I'm not sure a package should change the shell on update. We could try to fix it for new installs though. I fear it could break some old cron jobs or SuSEconfig scripts that use su with those accounts though. So I'd blacklist them. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (4)
-
Frederic Crozat
-
Ludwig Nussel
-
Marcus Meissner
-
Vincent Untz