Bug 157500 - posible chsh(1) bug on systems using nss_ldap/pam_ldap ends adding users to /etc/master.passwd
Summary: posible chsh(1) bug on systems using nss_ldap/pam_ldap ends adding users to /...
Status: Open
Alias: None
Product: Base System
Classification: Unclassified
Component: bin (show other bugs)
Version: 8.1-STABLE
Hardware: Any Any
: Normal Affects Some People
Assignee: Dag-Erling Smørgrav
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-06-01 16:40 UTC by Nicolas de Bari Embriz Garcia Rojas
Modified: 2015-12-17 20:18 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Nicolas de Bari Embriz Garcia Rojas 2011-06-01 16:40:09 UTC 
I have a server using nss_ldap/pam_ldap (all users are stored on an ldap
directory) but I notice that  few users where available to change their
shell using the command chsh -s /bin/sh. 

In theory chsh like the passwd command should not operate on ldap and
just work for local users.

in fact the passwd command output this:
passwd: Sorry, `passwd' can only change passwords for local or NIS users.

when creating an account via web (www.sign.io - info stored on ldap not
localy and in a remote server) and after login for the first time to the
server via ssh, the user can execute the command chsh -s /bin/sh and
chsh will add the user to the /etc/passwd and /etc/master.passwd (this
should not happen) but seems like chsh is ignoring nsswitch.conf:

group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: files
protocols: files
rpc: files

if the user change his password (not using the passwd command) using an alternate script like this  one:

---
#!/bin/sh

stty -echo
read -p "Old Password: " oldp; echo
read -p "New Password: " np1; echo
read -p "Retype New Password: " np2; echo
stty echo

if [ "$np1" != "$np2" ]; then
  echo "Passwords do not match."
  exit 1
fi

ldappasswd -h 172.16.13.1 -D uid="$USER",ou=people,dc=sign,dc=io\
  -w "$oldp" \
  -a "$oldp" \
  -s "$np1"
# http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html
---

The user can still login the the shell but if he want to change his
shell again, he has to use his previous password since a new record on
/etc/passwd and /etc/master.passwd has been created.

also the this new record does not respect the login.conf, since the entry
looks like this:

test4:$1$YAvOssdO$JjZcAPX/4QppDIPlS2P4s.:4658:4658::0:0:test:/home/users/t/e/s/test4:/bin/sh

where in theory they should have a hash beginning with $2 (since blf)
is specified on the login.conf

the current login.conf is like this:

default:\
  :passwd_format=blf:\
  :minpasswordlen=6:\
  :copyright=/etc/COPYRIGHT:\
  :welcome=/etc/welcome:\
  :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
  :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
  :nologin=/var/run/nologin:\
  :cputime=1h:\
  :datasize=10M:\
  :stacksize=2M:\
  :memorylocked=2M:\
  :memoryuse=8M:\
  :filesize=10M:\
  :coredumpsize=0:\
  :openfiles=50:\
  :maxproc=10:\
  :sbsize=unlimited:\
  :vmemoryuse:16M:\
  :priority=5:\
  :ignoretime@:\
  :requirehome=1:\
  :idletime=30:\
  :umask=077:



http://forums.freebsd.org/showthread.php?p=136224#post136224

Fix: 

unknown, maybe temporally disabling chsh
How-To-Repeat: create an account via ldap not locally (live example on www.sign.io) 

login the the shell server that uses pam_ldap/nss_ldap (no local users
on /etc/master.passwd)  and execute the chsh -s /bin/sh.

chsh will ask for a password the one will be stored or used for creating
a new entry on /etc/passwd (later update will update /etc/mater.passwd)
(this should not happen)
Comment 1 Dag-Erling Smørgrav freebsd_committer freebsd_triage 2015-12-17 20:18:31 UTC 
This is clearly not the desired behavior, but I am not entirely sure how to fix it.  I will try to look into it.