Bug 48178 - Add some users to the default blacklist
Summary: Add some users to the default blacklist
Status: RESOLVED FIXED
Alias: None
Product: accountsservice
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: Matthias Clasen
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-04-02 02:29 UTC by Vincent Untz
Modified: 2013-01-04 19:20 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
Also exclude "at" user (522 bytes, patch)
2012-04-17 23:59 UTC, Vincent Untz 		Details | Splinter Review
View All

Description Vincent Untz 2012-04-02 02:29:16 UTC 
With the new accountsservice, I see three users that are not filtered anymore because they don't have nologin or false as login shell: ftp, games and man.

Can we add them to the default blacklist (default_excludes in daemon.c)? On a Debian system I have, I see that at least games and man are there too, with /bin/sh as login shell, so it doesn't just affect openSUSE, I guess.
Comment 1 Ray Strode [halfline] 2012-04-02 11:48:39 UTC 
we started getting complaints about the mysql users in fedora too:

http://www.mail-archive.com/test@lists.fedoraproject.org/msg14147.html

Would the proposed solution there ^ work for you cases (looking at the shadow file and filtering out users with "!!" passwords
Comment 2 Ray Strode [halfline] 2012-04-02 11:49:58 UTC 
i'm don't really mind expanding the blacklist. I'd just like to find a more scalable solution I guess.
Comment 3 Ray Strode [halfline] 2012-04-02 13:56:12 UTC 
pushed a change to add ftp, games, man, and mysql to the blacklist
Comment 4 Ray Strode [halfline] 2012-04-02 13:56:47 UTC 
err tried, git.freedesktop.org is down apparently.
Comment 5 Vincent Untz 2012-04-03 04:55:52 UTC 
(In reply to comment #1)
> Would the proposed solution there ^ work for you cases (looking at the shadow
> file and filtering out users with "!!" passwords

I don't really like the idea of opening /etc/shadow, to be honest :-) But otherwise, no objection. Hrm, the users have "*" passwords here, not "!!". Which is slightly different (and unfortunate, as iirc, "*" just means no password while "!!" means no login at all).
Comment 6 Vincent Untz 2012-04-17 23:59:36 UTC 
Created attachment 60234 [details] [review]
Also exclude "at" user

Another user reported the issue with "at"...
Comment 7 Ray Strode [halfline] 2012-04-24 08:10:18 UTC 
pushed, though turns out we already do the /etc/shadow snooping, so we just need to change it to be less specific about what it excludes.
Comment 8 Michael Biebl 2012-05-17 10:09:54 UTC 
(In reply to comment #7)
> pushed, though turns out we already do the /etc/shadow snooping, so we just
> need to change it to be less specific about what it excludes.

See 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673095

and specifically
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673095#15
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=673095#20

Allesio has reverted the commit for now, which drops the filtering based on MIN_UID.
Comment 9 Ray Strode [halfline] 2013-01-04 19:20:30 UTC 
okay i pushed this:

http://cgit.freedesktop.org/accountsservice/commit/?id=8dd2ac2a79636349de5846fab2050a7866f2ddee

    daemon: be more aggresive at excluding system accounts
    
    system accounts sometimes have valid shells, so checking for
    a valid shell isn't the best way to avoid showing those accounts.
    
    This commit changes accountsservice to exclude accounts that have
    a password hash that doesn't match one of the standard formats.

So i'm going to close this bug out.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.