[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/ldap-uid-gid] Change minimum UID/GID for LDAP user to 2000

Guido Berhörster (@gber) gitlab at salsa.debian.org
Tue Sep 26 06:20:18 BST 2023 


Guido Berhörster pushed to branch personal/gber/ldap-uid-gid at Debian Edu / debian-edu-config


Commits:
67e38935 by Guido Berhoerster at 2023-09-26T07:19:50+02:00
Change minimum UID/GID for LDAP user to 2000

With this change local user accounts now use the UID/GID range 1000-1999
instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
1000-59999.  This is to reserve UID/GID 0-999 for system users which is the
default in Debian and not conforming to it is increasingly problematic as
packages are beginning to use systemd-sysusers for creating system user
accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.

The first user account created during installation now has UID/GID 2000 instead
of 1000.

Configure gosa and adjust ldap-createuser-krb5 accordingly.

Closes: #1003192.

- - - - -


9 changed files:

- cf3/cf.adduser
- ldap-bootstrap/firstuser.ldif
- ldap-tools/ldap-createuser-krb5
- ldap-tools/ldap-debian-edu-install
- share/debian-edu-config/d-i/pre-pkgsel
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/pam-nopwdchange.py
- share/debian-edu-config/tools/goodbye-user-session
- share/debian-edu-config/tools/kerberos-kdc-init


Changes:

=====================================
cf3/cf.adduser
=====================================
@@ -17,10 +17,8 @@ bundle edit_line adduser_conf
 
 replace_patterns:
 
-  "FIRST_UID=1000" replace_with => value("FIRST_UID=500");
-  "LAST_UID=59999" replace_with => value("LAST_UID=999");
-  "FIRST_GID=1000" replace_with => value("FIRST_GID=500");
-  "LAST_GID=59999" replace_with => value("LAST_GID=999");
+  "LAST_UID=59999" replace_with => value("LAST_UID=1999");
+  "LAST_GID=59999" replace_with => value("LAST_GID=1999");
   "DIR_MODE=0755"  replace_with => value("DIR_MODE=0700");
 }
 


=====================================
ldap-bootstrap/firstuser.ldif
=====================================
@@ -15,8 +15,8 @@ cn: $FIRSTUSERGECOS
 userPassword: $FIRSTUSERPWDHASH
 homeDirectory: /skole/tjener/home0/$FIRSTUSERNAME
 loginShell: /bin/bash
-uidNumber: 1000
-gidNumber: 1000
+uidNumber: 2000
+gidNumber: 2000
 gecos: $FIRSTUSERGECOS
 shadowLastChange: 14818
 
@@ -25,4 +25,4 @@ objectClass: top
 objectClass: posixGroup
 cn: $FIRSTUSERNAME
 description: Group of user $FIRSTUSERNAME
-gidNumber: 1000
+gidNumber: 2000


=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -91,11 +91,11 @@ HOMEDIR=/skole/tjener/home0/$USERNAME
 KRB5DOMAIN=INTERN
 PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
 
-LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=1000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=1000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=2000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=2000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
 
-# If no ID was found, use LASTID=1000-1 to get uid/gid=1000
+# If no ID was found, use LASTID=2000-1 to get uid/gid=2000
 if [ -z "$LASTID" ] ; then
-    LASTID=999
+    LASTID=1999
 fi
 
 NEWUID=$(( $LASTID + 1 ))


=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -363,7 +363,7 @@ if [ -x /usr/bin/certutil ] ; then
   mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
   chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
   certutil  -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
-  chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
+  chown -R 2000:2000 /skole/tjener/home0/"$FIRSTUSERNAME"/
   echo "info: created PKI nssdb files for first-user"
 fi
 


=====================================
share/debian-edu-config/d-i/pre-pkgsel
=====================================
@@ -269,8 +269,8 @@ EOF
 create_initial_localadmin_user() {
     LOCAL_USER_ID="localadmin"
     LOCAL_USER_GECOS="Local Administrator"
-    LOCAL_USER_UIDNUMBER="500"
-    LOCAL_USER_PRIMGIDNUMBER="500"
+    LOCAL_USER_UIDNUMBER="1000"
+    LOCAL_USER_PRIMGIDNUMBER="1000"
 
     LOCAL_USER_INGROUPS="$LOCAL_USER_INGROUPS adm sudo"
 


=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -361,8 +361,8 @@
         userRDN="ou=people"
         groupRDN="ou=group"
         netgroupRDN="ou=netgroup"
-        gidNumberBase="1000"
-        uidNumberBase="1000"
+        gidNumberBase="2000"
+        uidNumberBase="2000"
         loginAttribute="uid"
         timezone="Etc/UTC"
         honourUnitTags="false"


=====================================
share/debian-edu-config/pam-nopwdchange.py
=====================================
@@ -30,7 +30,7 @@ def pam_sm_chauthtok(pamh, flags, argv):
   user = pamh.get_user(None)
   userinfo = pwd.getpwnam(user)
   uid = userinfo[2]
-  if 1000 <= uid:
+  if 2000 <= uid:
     text = "\nPlease visit https://www/gosa to change your password for Debian Edu / Skolelinux. Thanks!\n"
     msg = pamh.Message(pamh.PAM_TEXT_INFO, text)
     pamh.conversation(msg)


=====================================
share/debian-edu-config/tools/goodbye-user-session
=====================================
@@ -16,7 +16,7 @@
 # with this program; if not, write to the Free Software Foundation, Inc.,
 # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
 
-if [ $EUID -ge 500 ]; then
+if [ $EUID -ge 1000 ]; then
 
 	# safety net for well-known browsers
 	pkill -TERM -u "${LOGNAME}" x-www-browser


=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -248,8 +248,8 @@ firstuser_post() {
     cp -r /etc/skel $HOMEDIR
 
     # Must use uid/gid as NSS is not able to connect to LDAP yet
-    FIRSTUSERUID=1000
-    FIRSTUSERGID=1000
+    FIRSTUSERUID=2000
+    FIRSTUSERGID=2000
     chown -R $FIRSTUSERUID:$FIRSTUSERGID $HOMEDIR
 
     pwlen=$(echo -n "$FIRSTUSERPWD" | wc -c)



View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/67e38935928b74d9dafcf9d2adb71812aab4697b

-- 
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/67e38935928b74d9dafcf9d2adb71812aab4697b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230926/2b59932e/attachment-0001.htm>

More information about the debian-edu-commits mailing list