Package: release.debian.org
Severity: normal
X-Debbugs-Cc: libpam-mklocalu...@packages.debian.org
Control: affects -1 + src:libpam-mklocaluser
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package libpam-mklocaluser
[ Reason ]
1.
On Debian Edu Roaming Workstations based on Debian (Edu) 13 (driven by
libpam-mklocaluser) it was discovered that local user accounts (created
via login from LDAP user accounts) always had /bin/sh configured as user
shell. In previous versions of Debian Edu it used to be /bin/bash (less
annoying but also hard-coded / static, it seems).
The correct approach, however, is using the shell from getent passwd -s
ldap <user> (which the new 0.20 version provides).
2.
The MINIMUM_UID used in libpam-mklocaluser is now not hard-coded anymore
but looked-up in /etc/login.defs.
[ Impact ]
All Debian Edu users on roaming workstations (mobile devices) get a
/bin/sh in their terminal apps as shell and can't configure that
otherwise as they mostly lack root privileges on their school notebooks.
[ Tests ]
Manual tests on Debian Edu 13 roaming workstations.
[ Risks ]
Minimal, Debian Edu only, mostly.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
None.
unblock libpam-mklocaluser/0.20
diff -Nru libpam-mklocaluser-0.19/debian/changelog
libpam-mklocaluser-0.20/debian/changelog
--- libpam-mklocaluser-0.19/debian/changelog 2023-09-22 18:29:16.000000000
+0200
+++ libpam-mklocaluser-0.20/debian/changelog 2025-06-02 15:01:06.000000000
+0200
@@ -1,3 +1,14 @@
+libpam-mklocaluser (0.20) unstable; urgency=medium
+
+ [ Guido Berhoerster ]
+ * Determine minimum UID for regular users from login.defs
+
+ [ Mike Gabriel ]
+ * debian/pam-python.py: Take user shell into account when creating local
+ user account.
+
+ -- Mike Gabriel <sunwea...@debian.org> Mon, 02 Jun 2025 15:01:06 +0200
+
libpam-mklocaluser (0.19) unstable; urgency=medium
* Team upload.
diff -Nru libpam-mklocaluser-0.19/debian/pam-python.py
libpam-mklocaluser-0.20/debian/pam-python.py
--- libpam-mklocaluser-0.19/debian/pam-python.py 2023-09-22
18:29:12.000000000 +0200
+++ libpam-mklocaluser-0.20/debian/pam-python.py 2025-06-02
15:00:08.000000000 +0200
@@ -40,7 +40,21 @@
HOOK_PATH = Path("/etc/mklocaluser.d")
-MINIMUM_UID = 1000 # FIXME read UID_MIN from login.defs?
+
+
+def get_minimum_uid():
+ min_uid = 1000
+ with open("/etc/login.defs") as f:
+ for line in f:
+ parts = line.strip().split(maxsplit=1)
+ if len(parts) == 2 and parts[0] == "UID_MIN":
+ try:
+ min_uid = int(parts[1])
+ except ValueError:
+ pass
+ break
+
+ return min_uid
def check_and_create_localuser(pamh, user):
@@ -52,7 +66,7 @@
return pamh.PAM_USER_UNKNOWN
# Ignore users belwo minimum UID
- if userinfo.pw_uid < MINIMUM_UID:
+ if userinfo.pw_uid < get_minimum_uid():
return pamh.PAM_SUCCESS
# Ignore users with existing entry in /etc/passwd
@@ -101,7 +115,7 @@
syslog.syslog(
f"Creating local passwd/shadow entry uid={userinfo.pw_uid}({user}) "
f"gid={userinfo.pw_gid}({groupname}) gecos='{userinfo.pw_gecos}' "
- f"home={new_home}"
+ f"home={new_home} shell='{userinfo.pw_shell}'"
)
with tempfile.TemporaryDirectory(ignore_cleanup_errors=True) as tmpdir:
# Use alternative path to the root directory to trick useradd into
@@ -115,6 +129,7 @@
[
"useradd", "--prefix", root, "--uid", str(userinfo.pw_uid),
"--no-user-group", "--create-home", "--home-dir", new_home,
+ "--shell", userinfo.pw_shell,
"--comment", userinfo.pw_gecos, user
],
capture_output=True, text=True, check=True
