Bug#1003192: marked as done (debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf)

To: Mike Gabriel <sunweaver@debian.org>
Subject: Bug#1003192: marked as done (debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 27 Sep 2023 08:39:05 +0000
Message-id: <[🔎] handler.1003192.D1003192.16958038891176891.ackdone@bugs.debian.org>
Reply-to: 1003192@bugs.debian.org
References: <E1qlQ3C-00CYbk-8l@fasolo.debian.org> <20220105203112.Horde.kwuU1lCYuJbORjRFjmZgvhL@mail.das-netzwerkteam.de>

Your message dated Wed, 27 Sep 2023 08:37:42 +0000
with message-id <E1qlQ3C-00CYbk-8l@fasolo.debian.org>
and subject line Bug#1003192: fixed in debian-edu-config 2.12.37
has caused the Debian Bug report #1003192,
regarding debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1003192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003192
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org

Subject: debian-edu-config: /etc/login.defs not adjusted for Debian Edu like /etc/adduser.conf

From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>

Date: Wed, 05 Jan 2022 20:31:12 +0000

Message-id: <20220105203112.Horde.kwuU1lCYuJbORjRFjmZgvhL@mail.das-netzwerkteam.de>
Package: debian-edu-config
Version: 2.12.5
Severity: normal

Hi,
the Debian Edu site setup configures adduser to start adding localnon-system users with UID number 500.
UID number 1000 and upwards is/are used for LDAP users.
In a standard Debian system, local user ID numbers normally start at1000, so /etc/adduser.conf is tweaked accordingly on all Debian Edusetups:
# cat /etc/adduser.conf | grep 500
FIRST_UID=500
FIRST_GID=500
However, when I look at UID and GID ranges in /etc/login.defs, I seethis on a fresh Debian Edu 11 installation:
# cat /etc/login.defs | grep UID
UID_MIN			 1000
UID_MAX			60000
#SYS_UID_MIN		  100
#SYS_UID_MAX		  999

# cat /etc/login.defs | grep GID
GID_MIN			 1000
GID_MAX			60000
#SYS_GID_MIN		  100
#SYS_GID_MAX		  999
To my understanding, with the deviating FIRST_UID/FIRST_GID settingsin Debian Edu and with LDAP users starting at UID number (and GIDnumber) 1000, the /etc/login.defs file should be adjusted to thefollowing values, probably via cfengine3:
# cat /etc/login.defs | grep UID
UID_MIN			  500
UID_MAX			  999
SYS_UID_MIN		  100
SYS_UID_MAX		  499

# cat /etc/login.defs | grep GID
GID_MIN			  500
GID_MAX			  999
SYS_GID_MIN		  100
SYS_GID_MAX		  499


Interestingly, systemd adds this to /etc/passwd and /etc/group:

systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
systemd-coredump:x:999:
So, question is where in the installation process we need to injectthe above change to enforce systemd-coredump:499:499:... Or if we cansimply ignore that and configure /etc/login.defs for all followinglocal user / local system user acconts.
I stumbled over this while looking and LTSP's init process and esp.the pwmmerge tool which relies on correct settings in /etc/login.defson the LTSP client.
Comments? Feedback?

Mike

--

DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940

GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22  0782 9AF4 6B30 2577 1B31
mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment: pgpZ4YrMc4KDh.pgp
Description: Digitale PGP-Signatur

--- End Message ---

--- Begin Message ---

To: 1003192-close@bugs.debian.org
Subject: Bug#1003192: fixed in debian-edu-config 2.12.37
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Wed, 27 Sep 2023 08:37:42 +0000
Message-id: <E1qlQ3C-00CYbk-8l@fasolo.debian.org>
Reply-to: Mike Gabriel <sunweaver@debian.org>

Source: debian-edu-config
Source-Version: 2.12.37
Done: Mike Gabriel <sunweaver@debian.org>

We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1003192@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Gabriel <sunweaver@debian.org> (supplier of updated debian-edu-config package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Wed, 27 Sep 2023 09:57:06 +0200
Source: debian-edu-config
Architecture: source
Version: 2.12.37
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Mike Gabriel <sunweaver@debian.org>
Closes: 1003192 1003728 1010159
Changes:
 debian-edu-config (2.12.37) unstable; urgency=medium
 .
   [ Guido Berhoerster ]
   * Discard excessive nullmailer logging.
     Filter out log messages coming from a client running nullmailer since it is
     very verbose and can easily fill up the filesystem under /var/log.
     (Closes: #1003728).
   * ldap-createuser-krb5: fix password prompt.
   * Disable cfengine3 systemd service.
     Disabling only cf-execd in 75b4e3f7 (see #1041323) did not work as it gets
     pulled in as a dependency of cfengine3. Thus disable the cfengine3 service
     instead.
   * Rewrite testsuite/filesystems, add exception for /boot
     Rewrite for clarity and robustness. Add exception for /boot which may use
     ext2.
   * testsuite/ldap-{server,client}: Fix invocation of ldapsearch.
     The -h command line option has been removed, ldapsearch now only accepts a
     LDAP URI via the -H option.
     Also do not use the deprecated egrep and get rid of unnecessary wc.
     Use dig and awk instead of host and interpret the SRV record properly.
   * testsuite/ldap-client: Improve error message on PAM modules.
   * Fix remaining invocations of ldapsearch.
   * Disable using the LDAP PAM module (we use pam_krb5.so instead).
   * setup-freeradius-server: Set commonName and subjectAltNames on the server
     cert.
     (Closes: #1010159).
   * setup-freeradius-server: Improve robustness
     Use update-ini-file for OpenSSL config files.
     Use more precise sed substitutions which do not rely on example values.
     Increase password length from 8 to 16 characters.
   * Change minimum UID/GID for LDAP user to 2000 (Closes: #1003192)
     With this change local user accounts now use the UID/GID range 1000-1999
     instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
     1000-59999.  This is to reserve UID/GID 0-999 for system users which is the
     default in Debian and not conforming to it is increasingly problematic as
     packages are beginning to use systemd-sysusers for creating system user
     accounts which does not obey /etc/addusers.conf or /etc/login.defs by default.
     The first user account created during installation now has UID/GID 2000 instead
     of 1000.
     Configure gosa and adjust ldap-createuser-krb5 accordingly.
Checksums-Sha1:
 b2aed5584e2046efa8ae90f7c0ac0324f8d5e264 2017 debian-edu-config_2.12.37.dsc
 5fbe3ae49c4192a5a8ca9855bc131b9ad1554448 358716 debian-edu-config_2.12.37.tar.xz
 8339b9c11d48a3efe2dc5108b030ef0e627cef4b 6733 debian-edu-config_2.12.37_source.buildinfo
Checksums-Sha256:
 89e1cc143542170a2cfb9b9c28efc0349dff0f1302751c537e322943487f4945 2017 debian-edu-config_2.12.37.dsc
 6a0083dba3249f99e16ad42dc1231d39d746405febcdd2c2d9cad84821967216 358716 debian-edu-config_2.12.37.tar.xz
 793fc1e6a4fb52ddd871046f688b6c5864b51087105d74e12036b34f01a5a479 6733 debian-edu-config_2.12.37_source.buildinfo
Files:
 629a246d67534fd26ab957a7fe595cf2 2017 misc optional debian-edu-config_2.12.37.dsc
 66f896135003612b3181653f25ed9085 358716 misc optional debian-edu-config_2.12.37.tar.xz
 a276140da55dbf315844ba3feb29d117 6733 misc optional debian-edu-config_2.12.37_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmUT4HIVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxgscP/09Hzar4xOA7XTDP8he6JuLhPhaU
VgULaiwOrByuwcFf/sLC1rMMjGc1qqA0puSNCOWnSwmEFze82zaf7LYeShGHyw9U
tCsfdgSXzbvfkN117dYNy+6Rks3domRftzh5ijHD9xvmuPjeWQ8zhU3jlmBtfbDZ
n5W6bE7zmwKY1aVKoD2rpR0Vpz1uIxpUmKBUf3UDO+YQl/sOvhA5kXEo2KVVbJ/z
xsM1ygqXDcuWV/BuWk0uf54F101pR/RVO5vLjzS34n6G5t0aZuQhYFh7ICMgNBzA
KWRwzG/o3JRTFxnzd7lPzkQsotPSQXCxrY88IOx5fkw+fM1/7N+VmApnsK+H3D/w
vA+7rTwpKqXat816aGcpXK3wOYVxR0BnM38eW/6guHF8nEvIgH3n54Ux+7QBuKR3
5G8xqKRUKRAIywclRDtFTr1SbNBzmgAhZ0l6IzO3UUVvlpcz1sPSju4oLNxv7Mgz
vCr03cOZKi3vk6PmBspH4kVIDghmUiPt1NVsZOsdC0oEICxTW35z+YSlUoAw2uGp
MPF0OhuySqYZEcGn71ThW9vJGLubv+6hs6qxqX919PfJRcWovh7I5FlstmqYFVNi
qTzhWvJowe086DkfKa5r5NS//mOguX1C/VZ/KTQWvQ2i+IwxkaSgBUi2Aeg/JAX8
ngbKQ8289o4/35Uh
=LSZJ
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#1003728: marked as done (debian-edu-config: nullmailer pollutes syslog on roaming workstations)
Next by Date: Bug#1010159: marked as done (debian-edu-config: setup-freeradius-server create freeradius-server.crt with subjectAltNames not set)
Previous by thread: Bug#1003728: marked as done (debian-edu-config: nullmailer pollutes syslog on roaming workstations)
Next by thread: Bug#1010159: marked as done (debian-edu-config: setup-freeradius-server create freeradius-server.crt with subjectAltNames not set)
Index(es):
- Date
- Thread