Bug 39369 - /usr/lib/univention-pam/lock-user sets HOME to /dev/null
/usr/lib/univention-pam/lock-user sets HOME to /dev/null
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: PAM
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.0-3-errata
Assigned To: Felix Botner
Stefan Gohmann
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-18 22:45 CEST by Stefan Gohmann
Modified: 2017-02-15 18:05 CET (History)
1 user (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-09-18 22:45:46 CEST
Ticket #2015090921000712

The following traceback happens on a customer system:

root@ucs:~# udm computers/ubuntu create   --position "cn=computers,${ldap_base}"   --set name=testubuntu121   --set password="testpassword"   --set operatingSystem="Ubuntu"   --set operatingSystemVersion="14.04" --set unixhome=/dev/null
Traceback (most recent call last):
  File "/usr/share/univention-directory-manager-tools/univention-cli-server", line 222, in doit
    output = univention.admincli.admin.doit(arglist)
  File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 393, in doit
    out=_doit(arglist)
  File "/usr/lib/pymodules/python2.7/univention/admincli/admin.py", line 804, in _doit
    dn=object.create()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 352, in create
    return self._create()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/__init__.py", line 711, in _create
    al=self._ldap_addlist()
  File "/usr/lib/pymodules/python2.7/univention/admin/handlers/computers/ubuntu.py", line 459, in _ldap_addlist
    krb_keys=univention.admin.password.krb5_asn1(self.krb5_principal(), self['password'])
  File "/usr/lib/pymodules/python2.7/univention/admin/password.py", line 93, in krb5_asn1
    krb5_context = heimdal.context()
Krb5Error: {'code': 20}

The UDM CLI was started via /usr/lib/univention-pam/lock-user which is started via PAM and thus HOME is set to /dev/null which breaks the heimdal context.
Comment 1 Stefan Gohmann univentionstaff 2015-09-18 22:46:42 CEST
My hotfix on the customer system was:

--- /usr/lib/univention-pam/lock-user   2015-09-18 14:24:00.280570293 -0600
+++ /usr/lib/univention-pam/lock-user.orig      2015-09-18 14:23:42.036598664 -0600
@@ -59,7 +59,7 @@
                        exit 1
                fi

-               HOME=/ univention-directory-manager users/user modify --binddn "$binddn" --bindpwd "$(cat $bindpw)" --logfile /dev/null --dn "$user_dn" --set locked=all
+               univention-directory-manager users/user modify --binddn "$binddn" --bindpwd "$(cat $bindpw)" --logfile /dev/null --dn "$user_dn" --set locked=all

                exit $?
        else
Comment 2 Felix Botner univentionstaff 2015-11-03 14:28:30 CET
* univention-pam: r65128 errata4.0-3
* merged to 4.1-0
* YAML: 2015-11-03-univention-pam.yaml

To reproduce this bug:

 * 4.0-3 master
 * auth/faillog/lock_global: yes
 * auth/faillog/lock_global: yes
 * create a user with HOME /dev/null
 * make sure univention-cli-server is NOT running
 * ssh login with the user with a wrong password (5 times)
 * user should be locked now
 * creating another user now fails (without the hotfix)
   udm users/user create --set username=test3 \
     --set password=univention \
     --set lastname=test3
Comment 3 Stefan Gohmann univentionstaff 2015-11-03 15:03:40 CET
Tests: OK

Code review: OK

YAML: OK
Comment 4 Janek Walkenhorst univentionstaff 2015-11-04 17:24:45 CET
<http://errata.software-univention.de/ucs/4.0/360.html>