From owner-freebsd-bugs@FreeBSD.ORG Wed Jun 1 15:40:09 2011 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D0E981065670 for ; Wed, 1 Jun 2011 15:40:09 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id AE6528FC18 for ; Wed, 1 Jun 2011 15:40:09 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p51Fe97Y013676 for ; Wed, 1 Jun 2011 15:40:09 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p51Fe9Ll013675; Wed, 1 Jun 2011 15:40:09 GMT (envelope-from gnats) Resent-Date: Wed, 1 Jun 2011 15:40:09 GMT Resent-Message-Id: <201106011540.p51Fe9Ll013675@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Nicolas de Bari Embriz Garcia Rojas Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1B099106566C for ; Wed, 1 Jun 2011 15:39:19 +0000 (UTC) (envelope-from nobody@FreeBSD.org) Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22]) by mx1.freebsd.org (Postfix) with ESMTP id 0AF118FC14 for ; Wed, 1 Jun 2011 15:39:19 +0000 (UTC) Received: from red.freebsd.org (localhost [127.0.0.1]) by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p51FdHLJ084147 for ; Wed, 1 Jun 2011 15:39:17 GMT (envelope-from nobody@red.freebsd.org) Received: (from nobody@localhost) by red.freebsd.org (8.14.4/8.14.4/Submit) id p51FdHEU084146; Wed, 1 Jun 2011 15:39:17 GMT (envelope-from nobody) Message-Id: <201106011539.p51FdHEU084146@red.freebsd.org> Date: Wed, 1 Jun 2011 15:39:17 GMT From: Nicolas de Bari Embriz Garcia Rojas To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-3.1 Cc: Subject: conf/157500: posible chsh bug on systems using nss_ldap/pam_ldap ends adding users to /etc/master.passwd X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Jun 2011 15:40:09 -0000 >Number: 157500 >Category: conf >Synopsis: posible chsh bug on systems using nss_ldap/pam_ldap ends adding users to /etc/master.passwd >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jun 01 15:40:09 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Nicolas de Bari Embriz Garcia Rojas >Release: 8.1-STABLE >Organization: >Environment: FreeBSD sign.io 8.1-STABLE FreeBSD 8.1-STABLE #1: Sun Nov 21 16:09:52 CET 2010 root@sign.io:/usr/obj/usr/src/sys/SIGNIO amd64 >Description: I have a server using nss_ldap/pam_ldap (all users are stored on an ldap directory) but I notice that few users where available to change their shell using the command chsh -s /bin/sh. In theory chsh like the passwd command should not operate on ldap and just work for local users. in fact the passwd command output this: passwd: Sorry, `passwd' can only change passwords for local or NIS users. when creating an account via web (www.sign.io - info stored on ldap not localy and in a remote server) and after login for the first time to the server via ssh, the user can execute the command chsh -s /bin/sh and chsh will add the user to the /etc/passwd and /etc/master.passwd (this should not happen) but seems like chsh is ignoring nsswitch.conf: group: files ldap hosts: files dns networks: files passwd: files ldap shells: files services: files protocols: files rpc: files if the user change his password (not using the passwd command) using an alternate script like this one: --- #!/bin/sh stty -echo read -p "Old Password: " oldp; echo read -p "New Password: " np1; echo read -p "Retype New Password: " np2; echo stty echo if [ "$np1" != "$np2" ]; then echo "Passwords do not match." exit 1 fi ldappasswd -h 172.16.13.1 -D uid="$USER",ou=people,dc=sign,dc=io\ -w "$oldp" \ -a "$oldp" \ -s "$np1" # http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html --- The user can still login the the shell but if he want to change his shell again, he has to use his previous password since a new record on /etc/passwd and /etc/master.passwd has been created. also the this new record does not respect the login.conf, since the entry looks like this: test4:$1$YAvOssdO$JjZcAPX/4QppDIPlS2P4s.:4658:4658::0:0:test:/home/users/t/e/s/test4:/bin/sh where in theory they should have a hash beginning with $2 (since blf) is specified on the login.conf the current login.conf is like this: default:\ :passwd_format=blf:\ :minpasswordlen=6:\ :copyright=/etc/COPYRIGHT:\ :welcome=/etc/welcome:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\ :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\ :nologin=/var/run/nologin:\ :cputime=1h:\ :datasize=10M:\ :stacksize=2M:\ :memorylocked=2M:\ :memoryuse=8M:\ :filesize=10M:\ :coredumpsize=0:\ :openfiles=50:\ :maxproc=10:\ :sbsize=unlimited:\ :vmemoryuse:16M:\ :priority=5:\ :ignoretime@:\ :requirehome=1:\ :idletime=30:\ :umask=077: http://forums.freebsd.org/showthread.php?p=136224#post136224 >How-To-Repeat: create an account via ldap not locally (live example on www.sign.io) login the the shell server that uses pam_ldap/nss_ldap (no local users on /etc/master.passwd) and execute the chsh -s /bin/sh. chsh will ask for a password the one will be stored or used for creating a new entry on /etc/passwd (later update will update /etc/mater.passwd) (this should not happened) >Fix: unknown, maybe temporally disabling chsh >Release-Note: >Audit-Trail: >Unformatted: