Open Mazamazine opened 2 years ago
camlafit
commented
2 years ago Hello
Actually we don't have any check about uid or account name. If user are created after alternc installation we could get uid conflict between legacy user and alternc account. I think the source problem is more on Alternc part. We should check if user is yet defined on standard account and check if uid is yet set. Actually I've no correct idea to solve this.
Mazamazine
commented
2 years ago In the meantime, I opted for a check in /etc/passwd through a new function in m_nss.php (have to fix the preg_match though! Should be => fixed by https://github.com/Koumbit/alternc-nss/commit/dd0e4a7588569cee54399d60419dbdb3f6180d87)/^$login:/m so maza doesn't match mazamazine...
I had to add a hook prior to user creation in m_admin.php so that the account is not created if the user has been found in /etc/passwd.
https://github.com/Koumbit/AlternC/pull/5/commits/b2bd39d0ef0200cbac7776e162ceecaf2f736aff
To make this work, I also changed the apache template to add /etc/passwd in open_basdir.
Probably not the best way, but it fixes my problem for now.
camlafit
commented
2 years ago Hello
I think better solution should be check uid and username directly from AlternC
Users created under alternc are under
/var/lib/extrausers/.Innsswitch.confthough, it's looking first in/etc/{shadow,passwd,group}The result of this is having conflicts between alternC users and existing users, leading to security problems.
Using alternc-php-fpm for instance, we can see processes under the right user but with the wrong uid. Say you have your admin user in alternc (uid 2000) and an admin user with a uid 10440, here is what you get:
10440 5768 0.0 0.8 275752 18176 ? S 18:03 0:00 \_ php-fpm: pool admin