Bug#1107160: marked as done (unblock: libpam-mklocaluser/0.20)

Mon, 02 Jun 2025 10:39:49 -0700 

Your message dated Mon, 02 Jun 2025 17:37:29 +0000
with message-id <e1um96h-003zok...@respighi.debian.org>
and subject line unblock libpam-mklocaluser
has caused the Debian Bug report #1107160,
regarding unblock: libpam-mklocaluser/0.20
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1107160: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107160
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libpam-mklocalu...@packages.debian.org
Control: affects -1 + src:libpam-mklocaluser
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package libpam-mklocaluser

[ Reason ]

1.
On Debian Edu Roaming Workstations based on Debian (Edu) 13 (driven by
libpam-mklocaluser) it was discovered that local user accounts (created
via login from LDAP user accounts) always had /bin/sh configured as user
shell. In previous versions of Debian Edu it used to be /bin/bash (less
annoying but also hard-coded / static, it seems).

The correct approach, however, is using the shell from getent passwd -s
ldap <user> (which the new 0.20 version provides).

2.
The MINIMUM_UID used in libpam-mklocaluser is now not hard-coded anymore
but looked-up in /etc/login.defs.


[ Impact ]
All Debian Edu users on roaming workstations (mobile devices) get a
/bin/sh in their terminal apps as shell and can't configure that
otherwise as they mostly lack root privileges on their school notebooks.

[ Tests ]
Manual tests on Debian Edu 13 roaming workstations.

[ Risks ]
Minimal, Debian Edu only, mostly.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
None.

unblock libpam-mklocaluser/0.20

diff -Nru libpam-mklocaluser-0.19/debian/changelog 
libpam-mklocaluser-0.20/debian/changelog
--- libpam-mklocaluser-0.19/debian/changelog    2023-09-22 18:29:16.000000000 
+0200
+++ libpam-mklocaluser-0.20/debian/changelog    2025-06-02 15:01:06.000000000 
+0200
@@ -1,3 +1,14 @@
+libpam-mklocaluser (0.20) unstable; urgency=medium
+
+  [ Guido Berhoerster ]
+  * Determine minimum UID for regular users from login.defs
+
+  [ Mike Gabriel ]
+  * debian/pam-python.py: Take user shell into account when creating local
+    user account.
+
+ -- Mike Gabriel <sunwea...@debian.org>  Mon, 02 Jun 2025 15:01:06 +0200
+
 libpam-mklocaluser (0.19) unstable; urgency=medium
 
   * Team upload.
diff -Nru libpam-mklocaluser-0.19/debian/pam-python.py 
libpam-mklocaluser-0.20/debian/pam-python.py
--- libpam-mklocaluser-0.19/debian/pam-python.py        2023-09-22 
18:29:12.000000000 +0200
+++ libpam-mklocaluser-0.20/debian/pam-python.py        2025-06-02 
15:00:08.000000000 +0200
@@ -40,7 +40,21 @@
 
 
 HOOK_PATH = Path("/etc/mklocaluser.d")
-MINIMUM_UID = 1000 # FIXME read UID_MIN from login.defs?
+
+
+def get_minimum_uid():
+    min_uid = 1000
+    with open("/etc/login.defs") as f:
+        for line in f:
+            parts = line.strip().split(maxsplit=1)
+            if len(parts) == 2 and parts[0] == "UID_MIN":
+                try:
+                    min_uid = int(parts[1])
+                except ValueError:
+                    pass
+                break
+
+    return min_uid
 
 
 def check_and_create_localuser(pamh, user):
@@ -52,7 +66,7 @@
         return pamh.PAM_USER_UNKNOWN
 
     # Ignore users belwo minimum UID
-    if userinfo.pw_uid < MINIMUM_UID:
+    if userinfo.pw_uid < get_minimum_uid():
         return pamh.PAM_SUCCESS
 
     # Ignore users with existing entry in /etc/passwd
@@ -101,7 +115,7 @@
     syslog.syslog(
         f"Creating local passwd/shadow entry uid={userinfo.pw_uid}({user}) "
         f"gid={userinfo.pw_gid}({groupname}) gecos='{userinfo.pw_gecos}' "
-        f"home={new_home}"
+        f"home={new_home} shell='{userinfo.pw_shell}'"
     )
     with tempfile.TemporaryDirectory(ignore_cleanup_errors=True) as tmpdir:
         # Use alternative path to the root directory to trick useradd into
@@ -115,6 +129,7 @@
                 [
                     "useradd", "--prefix", root, "--uid", str(userinfo.pw_uid),
                     "--no-user-group", "--create-home", "--home-dir", new_home,
+                    "--shell", userinfo.pw_shell,
                     "--comment", userinfo.pw_gecos, user
                 ],
                 capture_output=True, text=True, check=True

--- End Message ---
--- Begin Message --- 
Unblocked libpam-mklocaluser.

--- End Message ---

Reply via email to