-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RHEL-07-020620 uidmin and uidmax not sufficient to find local interactive users #462
Comments
uidmin and uidmax sometimes set to empty string. In these cases the login shell is the only way to check if they are local interactive users. |
I've ran into the same issue lately, This bug kept on exhibiting itself by causing some issues with nfs. Turns out since /var/lib/nfs is set as the home directory for nfsnobody and rpcuser, it was locking the directory to 700 permissions, which caused some issues with rpcuser reading a lock file in the directory.
Yeah, best way to handle this I think would be to exclude /usr/sbin/nologin and /sbin/nologin with grep -v when /etc/passwd is parsed. |
Describe the Issue
Using uidmin and uidmax is not sufficient to find local interactive users. Some users with sbin nologin are getting set as local interactive users when they are not.
Expected Behavior
Users with login shells set to sbin nologin should not be placed in the list of local interactive users.
Actual Behavior
Users with login shells set to sbin nologin are sometimes placed in the list of local interactive users.
Control(s) Affected
RHEL-07-020620 and any control/task using the rhel7_passwd fact.
Possible Solution
Create new fact which is a subset of the original rhel7_passwd which has local interactive users stored in it. The fact would be populated using logic checking 'uid' >= rhel7_stig_interactive_uid_start | int, uid <= rhel7_stig_interactive_uid_stop | int uid != 65534, shell != /sbin/nologin
The text was updated successfully, but these errors were encountered: