conf/157500: posible chsh bug on systems using nss_ldap/pam_ldap
ends adding users to /etc/master.passwd
Nicolas de Bari Embriz Garcia Rojas
nbari at sign.io
Wed Jun 1 15:40:09 UTC 2011
>Number: 157500
>Category: conf
>Synopsis: posible chsh bug on systems using nss_ldap/pam_ldap ends adding users to /etc/master.passwd
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Wed Jun 01 15:40:09 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator: Nicolas de Bari Embriz Garcia Rojas
>Release: 8.1-STABLE
>Organization:
>Environment:
FreeBSD sign.io 8.1-STABLE FreeBSD 8.1-STABLE #1: Sun Nov 21 16:09:52 CET 2010 root at sign.io:/usr/obj/usr/src/sys/SIGNIO amd64
>Description:
I have a server using nss_ldap/pam_ldap (all users are stored on an ldap directory) but I notice that few users where available to change their shell using the command chsh -s /bin/sh.
In theory chsh like the passwd command should not operate on ldap and just work for local users.
in fact the passwd command output this:
passwd: Sorry, `passwd' can only change passwords for local or NIS users.
when creating an account via web (www.sign.io - info stored on ldap not localy and in a remote server) and after login for the first time to the server via ssh, the user can execute the command chsh -s /bin/sh and chsh will add the user to the /etc/passwd and /etc/master.passwd (this should not happen) but seems like chsh is ignoring nsswitch.conf:
group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: files
protocols: files
rpc: files
if the user change his password (not using the passwd command) using an alternate script like this one:
---
#!/bin/sh
stty -echo
read -p "Old Password: " oldp; echo
read -p "New Password: " np1; echo
read -p "Retype New Password: " np2; echo
stty echo
if [ "$np1" != "$np2" ]; then
echo "Passwords do not match."
exit 1
fi
ldappasswd -h 172.16.13.1 -D uid="$USER",ou=people,dc=sign,dc=io\
-w "$oldp" \
-a "$oldp" \
-s "$np1"
# http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html
---
The user can still login the the shell but if he want to change his shell again, he has to use his previous password since a new record on /etc/passwd and /etc/master.passwd has been created.
also the this new record does not respect the login.conf, since the entry looks like this:
test4:$1$YAvOssdO$JjZcAPX/4QppDIPlS2P4s.:4658:4658::0:0:test:/home/users/t/e/s/test4:/bin/sh
where in theory they should have a hash beginning with $2 (since blf) is specified on the login.conf
the current login.conf is like this:
default:\
:passwd_format=blf:\
:minpasswordlen=6:\
:copyright=/etc/COPYRIGHT:\
:welcome=/etc/welcome:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
:path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
:nologin=/var/run/nologin:\
:cputime=1h:\
:datasize=10M:\
:stacksize=2M:\
:memorylocked=2M:\
:memoryuse=8M:\
:filesize=10M:\
:coredumpsize=0:\
:openfiles=50:\
:maxproc=10:\
:sbsize=unlimited:\
:vmemoryuse:16M:\
:priority=5:\
:ignoretime@:\
:requirehome=1:\
:idletime=30:\
:umask=077:
http://forums.freebsd.org/showthread.php?p=136224#post136224
>How-To-Repeat:
create an account via ldap not locally (live example on www.sign.io)
login the the shell server that uses pam_ldap/nss_ldap (no local users on /etc/master.passwd) and execute the chsh -s /bin/sh.
chsh will ask for a password the one will be stored or used for creating a new entry on /etc/passwd (later update will update /etc/mater.passwd) (this should not happened)
>Fix:
unknown, maybe temporally disabling chsh
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list