Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RHEL-07-020620 uidmin and uidmax not sufficient to find local interactive users #462

Open
prestonSeaman2 opened this issue Apr 24, 2024 · 2 comments
Assignees
Labels

Comments

@prestonSeaman2
Copy link

Describe the Issue
Using uidmin and uidmax is not sufficient to find local interactive users. Some users with sbin nologin are getting set as local interactive users when they are not.

Expected Behavior
Users with login shells set to sbin nologin should not be placed in the list of local interactive users.

Actual Behavior
Users with login shells set to sbin nologin are sometimes placed in the list of local interactive users.

Control(s) Affected
RHEL-07-020620 and any control/task using the rhel7_passwd fact.

Possible Solution
Create new fact which is a subset of the original rhel7_passwd which has local interactive users stored in it. The fact would be populated using logic checking 'uid' >= rhel7_stig_interactive_uid_start | int, uid <= rhel7_stig_interactive_uid_stop | int uid != 65534, shell != /sbin/nologin

@prestonSeaman2
Copy link
Author

uidmin and uidmax sometimes set to empty string. In these cases the login shell is the only way to check if they are local interactive users.

@layluke
Copy link
Contributor

layluke commented Apr 30, 2024

I've ran into the same issue lately, This bug kept on exhibiting itself by causing some issues with nfs. Turns out since /var/lib/nfs is set as the home directory for nfsnobody and rpcuser, it was locking the directory to 700 permissions, which caused some issues with rpcuser reading a lock file in the directory.

uidmin and uidmax sometimes set to empty string. In these cases the login shell is the only way to check if they are local interactive users.

Yeah, best way to handle this I think would be to exclude /usr/sbin/nologin and /sbin/nologin with grep -v when /etc/passwd is parsed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants