[linux-pam] #22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories
#22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories -------------------------+------------------------------------------------- Reporter: | Owner: pam-developers@… musicalvegan0 | Status: new Type: defect | Component: modules Priority: major | Keywords: sssd, ipa, active directory, Version: 1.1.x | mkhomedir Blocked By: | Blocking: -------------------------+------------------------------------------------- When logging in with an "alias" for the first time, mkhomedir will take the alias of the user instead of looking up the canonical name associated with the alias. This can lead to the creation of the wrong home directory and ends up putting the user somewhere other than their home directory.
Please see this listserv archive for additional context: https://lists.fedorahosted.org/pipermail/sssd- users/2013-October/001056.html
Steps to reproduce: 1. Create a user account with an alias on a directory server. 2. Configure PAM to authenticate against the directory server. 3. Configure PAM with pam_mkhomedir.so so home directories are created for first time logins. 4. Login for the first time with the user's alias.
What is expected to happen: The proper home directory is created and the user is chdir-ed into it.
What actually happens: This can vary. In my case, the user's home directory path is not retrieved from the directory server and a fallback home directory is erroneously created. The user is not started in the proper home directory.
#22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories -------------------------------------------------+------------------------- Reporter: musicalvegan0 | Owner: pam- Type: defect | developers@… Priority: major | Status: new Version: 1.1.x | Component: modules Keywords: sssd, ipa, active directory, | Resolution: mkhomedir | Blocked By: Blocking: | -------------------------------------------------+-------------------------
Comment (by ldv):
You mean that in your case getpwnam(NAME)->pw_name differs from NAME, and getpwnam(getpwnam(NAME)->pw_name)->pw_dir differs from getpwnam(NAME)->pw_dir?
#22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories -------------------------------------------------+------------------------- Reporter: musicalvegan0 | Owner: pam- Type: defect | developers@… Priority: major | Status: new Version: 1.1.x | Component: modules Keywords: sssd, ipa, active directory, | Resolution: mkhomedir | Blocked By: Blocking: | -------------------------------------------------+------------------------- Changes (by sgallagh):
* cc: sgallagh@… (added)
Comment:
Replying to [comment:1 ldv]:
You mean that in your case getpwnam(NAME)->pw_name differs from NAME,
and getpwnam(getpwnam(NAME)->pw_name)->pw_dir differs from getpwnam(NAME)->pw_dir?
In more detail:
"{{{getpwnam(NAME)->pw_name}}} differs from NAME" is a true statement. In the particular inciting event, it's because the user was logging in via SSSD to an Active Directory user named "Guest". Because AD accounts are case-insensitive, SSSD has to normalize this user to 'guest', so the ->pw_name value doesn't match.
The user also had an empty value for the homedir on the server, which is translated by SSSD to be {{{/path/to/homes/getpwnam(NAME)->pw_name}}}. So 'getent passwd Guest' ends up returning:
{{{ guest:*:500:500:Guest User:/home/guest:/bin/bash }}}
So {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} ''should'' be the same as {{{getpwnam(NAME)->pw_dir}}}
#22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories -------------------------------------------------+------------------------- Reporter: musicalvegan0 | Owner: pam- Type: defect | developers@… Priority: major | Status: new Version: 1.1.x | Component: modules Keywords: sssd, ipa, active directory, | Resolution: mkhomedir | Blocked By: Blocking: | -------------------------------------------------+-------------------------
Comment (by ldv):
OK, {{{pam_mkhomedir}}} essentially implements the following: - gets {{{NAME}}} via {{{pam_get_item(PAM_USER)}}}, it is the same {{{NAME}}} that was passed to {{{pam_start()}}} unless explicitly changed using {{{pam_set_item(PAM_USER)}}}; - if {{{getpwnam(NAME)->pw_dir}}} exists, exit; - if {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} exists, exit; - create {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} from the skeleton directory.
I agree this logic is somewhat flawed wrt {{{getpwnam(NAME)->pw_name}}} indirection which looks redundant here. But the problem described in sssd-users mailing list could arise due to {{{pam_mkhomedir}}} ''only if'' {{{getpwnam(NAME)->pw_dir}}} differs from {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}}, which is certainly not the wisest thing to do.
#22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories -------------------------------------------------+------------------------- Reporter: musicalvegan0 | Owner: pam- Type: defect | developers@… Priority: major | Status: new Version: 1.1.x | Component: modules Keywords: sssd, ipa, active directory, | Resolution: mkhomedir | Blocked By: Blocking: | -------------------------------------------------+-------------------------
Comment (by musicalvegan0):
Unfortunately I can't contribute much to this discussion, but if any testing needs to be done in my environment, I'd be happy to oblige.
#22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories -------------------------------------------------+------------------------- Reporter: musicalvegan0 | Owner: pam- Type: defect | developers@… Priority: major | Status: new Version: 1.1.x | Component: modules Keywords: sssd, ipa, active directory, | Resolution: mkhomedir | Blocked By: Blocking: | -------------------------------------------------+-------------------------
Comment (by ldv):
The canonical name associated with the alias is not a well defined notion. Suppose that - pam_get_user() returns NAME1; - getpwnam(NAME1)->pw_name is NAME2; - getpwnam(NAME2)->pw_name is NAME3; - getpwnam(NAME3)->pw_name is NAME1. What would you call the canonical name in a case like this?
Wouldn't it be better if PAM modules did no attempts to "canonicalize" user names at all?
#22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories -------------------------------------------------+------------------------- Reporter: musicalvegan0 | Owner: pam- Type: defect | developers@… Priority: major | Status: new Version: 1.1.x | Component: modules Keywords: sssd, ipa, active directory, | Resolution: mkhomedir | Blocked By: Blocking: | -------------------------------------------------+-------------------------
Comment (by sgallagh):
Replying to [comment:5 ldv]:
The canonical name associated with the alias is not a well defined
notion.
Suppose that
- pam_get_user() returns NAME1;
- getpwnam(NAME1)->pw_name is NAME2;
- getpwnam(NAME2)->pw_name is NAME3;
- getpwnam(NAME3)->pw_name is NAME1.
What would you call the canonical name in a case like this?
Wouldn't it be better if PAM modules did no attempts to "canonicalize"
user names at all?
For what it's worth, in SSSD's LDAP provider, this situation is impossible. We select one entry from the list of aliases (with sensible heuristics) and it will always return that one no matter which alias you try to use.
#22: pam_mkhomedir uses user alias username instead of canonical name when creating home directories -------------------------------------------------+------------------------- Reporter: musicalvegan0 | Owner: pam- Type: defect | developers@… Priority: major | Status: closed Version: 1.1.x | Component: modules Keywords: sssd, ipa, active directory, | Resolution: fixed mkhomedir | Blocked By: Blocking: | -------------------------------------------------+------------------------- Changes (by ldv):
* status: new => closed * resolution: => fixed
Comment:
Replying to [comment:3 ldv]:
OK, {{{pam_mkhomedir}}} essentially implements the following:
- gets {{{NAME}}} via {{{pam_get_item(PAM_USER)}}}, it is the same
{{{NAME}}} that was passed to {{{pam_start()}}} unless explicitly changed using {{{pam_set_item(PAM_USER)}}};
- if {{{getpwnam(NAME)->pw_dir}}} exists, exit;
- if {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} exists, exit;
- create {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} from the
skeleton directory.
https://git.fedorahosted.org/cgit/linux- pam.git/commit/?id=f9db4aae8b0292d1273c7acda1cc20ff87fabd5c brings the check and the creation back in sync, both handling {{{getpwnam(NAME)->pw_dir}}}.
A system where {{{getpwnam(NAME)->pw_dir}}} differs from {{{getpwnam(getpwnam(NAME)->pw_name)->pw_dir}}} is likely to suffer from other problems, and {{{pam_mkhomedir}}} is not the right place to deal with them.
I'm closing this bug report as fixed, assuming that it was actually about inconsistency between the home directory check and its creation.
pam-developers@lists.fedorahosted.org
-
fedora-badges