[debian-edu-commits] [Git][debian-edu/debian-edu-config][personal/gber/ldap-uid-gid] Change minimum UID/GID for LDAP user to 2000
Guido Berhörster (@gber)
gitlab at salsa.debian.org
Tue Sep 26 06:20:18 BST 2023
Guido Berhörster pushed to branch personal/gber/ldap-uid-gid at Debian Edu / debian-edu-config
Commits:
67e38935 by Guido Berhoerster at 2023-09-26T07:19:50+02:00
Change minimum UID/GID for LDAP user to 2000
With this change local user accounts now use the UID/GID range 1000-1999
instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
1000-59999. This is to reserve UID/GID 0-999 for system users which is the
default in Debian and not conforming to it is increasingly problematic as
packages are beginning to use systemd-sysusers for creating system user
accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.
The first user account created during installation now has UID/GID 2000 instead
of 1000.
Configure gosa and adjust ldap-createuser-krb5 accordingly.
Closes: #1003192.
- - - - -
9 changed files:
- cf3/cf.adduser
- ldap-bootstrap/firstuser.ldif
- ldap-tools/ldap-createuser-krb5
- ldap-tools/ldap-debian-edu-install
- share/debian-edu-config/d-i/pre-pkgsel
- share/debian-edu-config/gosa.conf.template
- share/debian-edu-config/pam-nopwdchange.py
- share/debian-edu-config/tools/goodbye-user-session
- share/debian-edu-config/tools/kerberos-kdc-init
Changes:
=====================================
cf3/cf.adduser
=====================================
@@ -17,10 +17,8 @@ bundle edit_line adduser_conf
replace_patterns:
- "FIRST_UID=1000" replace_with => value("FIRST_UID=500");
- "LAST_UID=59999" replace_with => value("LAST_UID=999");
- "FIRST_GID=1000" replace_with => value("FIRST_GID=500");
- "LAST_GID=59999" replace_with => value("LAST_GID=999");
+ "LAST_UID=59999" replace_with => value("LAST_UID=1999");
+ "LAST_GID=59999" replace_with => value("LAST_GID=1999");
"DIR_MODE=0755" replace_with => value("DIR_MODE=0700");
}
=====================================
ldap-bootstrap/firstuser.ldif
=====================================
@@ -15,8 +15,8 @@ cn: $FIRSTUSERGECOS
userPassword: $FIRSTUSERPWDHASH
homeDirectory: /skole/tjener/home0/$FIRSTUSERNAME
loginShell: /bin/bash
-uidNumber: 1000
-gidNumber: 1000
+uidNumber: 2000
+gidNumber: 2000
gecos: $FIRSTUSERGECOS
shadowLastChange: 14818
@@ -25,4 +25,4 @@ objectClass: top
objectClass: posixGroup
cn: $FIRSTUSERNAME
description: Group of user $FIRSTUSERNAME
-gidNumber: 1000
+gidNumber: 2000
=====================================
ldap-tools/ldap-createuser-krb5
=====================================
@@ -91,11 +91,11 @@ HOMEDIR=/skole/tjener/home0/$USERNAME
KRB5DOMAIN=INTERN
PWLASTCHANGE=$(( $(date +%s) / (60 * 60 * 24) ))
-LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=1000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=1000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
+LASTID="$(ldapsearch -x -LLL -o ldif-wrap=no '(|(&(objectclass=posixaccount)(uidNumber>=2000)(uidNumber<=10000))(&(objectclass=posixgroup)(gidNumber>=2000)(gidNumber<=10000)))' uidnumber gidnumber 2>/dev/null | awk '/^[ug]idNumber: / {if (max < $2) { max = $2; } } END { print max}')"
-# If no ID was found, use LASTID=1000-1 to get uid/gid=1000
+# If no ID was found, use LASTID=2000-1 to get uid/gid=2000
if [ -z "$LASTID" ] ; then
- LASTID=999
+ LASTID=1999
fi
NEWUID=$(( $LASTID + 1 ))
=====================================
ldap-tools/ldap-debian-edu-install
=====================================
@@ -363,7 +363,7 @@ if [ -x /usr/bin/certutil ] ; then
mkdir -p /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
chmod -R 700 /skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb
certutil -A -d sql:/skole/tjener/home0/"$FIRSTUSERNAME"/.pki/nssdb/ -t "CT,CT," -n "DebianEdu" -i /etc/ssl/certs/Debian-Edu_rootCA.crt
- chown -R 1000:1000 /skole/tjener/home0/"$FIRSTUSERNAME"/
+ chown -R 2000:2000 /skole/tjener/home0/"$FIRSTUSERNAME"/
echo "info: created PKI nssdb files for first-user"
fi
=====================================
share/debian-edu-config/d-i/pre-pkgsel
=====================================
@@ -269,8 +269,8 @@ EOF
create_initial_localadmin_user() {
LOCAL_USER_ID="localadmin"
LOCAL_USER_GECOS="Local Administrator"
- LOCAL_USER_UIDNUMBER="500"
- LOCAL_USER_PRIMGIDNUMBER="500"
+ LOCAL_USER_UIDNUMBER="1000"
+ LOCAL_USER_PRIMGIDNUMBER="1000"
LOCAL_USER_INGROUPS="$LOCAL_USER_INGROUPS adm sudo"
=====================================
share/debian-edu-config/gosa.conf.template
=====================================
@@ -361,8 +361,8 @@
userRDN="ou=people"
groupRDN="ou=group"
netgroupRDN="ou=netgroup"
- gidNumberBase="1000"
- uidNumberBase="1000"
+ gidNumberBase="2000"
+ uidNumberBase="2000"
loginAttribute="uid"
timezone="Etc/UTC"
honourUnitTags="false"
=====================================
share/debian-edu-config/pam-nopwdchange.py
=====================================
@@ -30,7 +30,7 @@ def pam_sm_chauthtok(pamh, flags, argv):
user = pamh.get_user(None)
userinfo = pwd.getpwnam(user)
uid = userinfo[2]
- if 1000 <= uid:
+ if 2000 <= uid:
text = "\nPlease visit https://www/gosa to change your password for Debian Edu / Skolelinux. Thanks!\n"
msg = pamh.Message(pamh.PAM_TEXT_INFO, text)
pamh.conversation(msg)
=====================================
share/debian-edu-config/tools/goodbye-user-session
=====================================
@@ -16,7 +16,7 @@
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-if [ $EUID -ge 500 ]; then
+if [ $EUID -ge 1000 ]; then
# safety net for well-known browsers
pkill -TERM -u "${LOGNAME}" x-www-browser
=====================================
share/debian-edu-config/tools/kerberos-kdc-init
=====================================
@@ -248,8 +248,8 @@ firstuser_post() {
cp -r /etc/skel $HOMEDIR
# Must use uid/gid as NSS is not able to connect to LDAP yet
- FIRSTUSERUID=1000
- FIRSTUSERGID=1000
+ FIRSTUSERUID=2000
+ FIRSTUSERGID=2000
chown -R $FIRSTUSERUID:$FIRSTUSERGID $HOMEDIR
pwlen=$(echo -n "$FIRSTUSERPWD" | wc -c)
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/67e38935928b74d9dafcf9d2adb71812aab4697b
--
View it on GitLab: https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/67e38935928b74d9dafcf9d2adb71812aab4697b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-edu-commits/attachments/20230926/2b59932e/attachment-0001.htm>
More information about the debian-edu-commits
mailing list