Bug#771925: release-notes: Add a note of base-passwd hardening shell on backup user

[Niels Thykier]

Control: tags -1 patch

On 2014-12-03 15:51, Olivier Berger wrote:
> Package: release-notes
> Severity: normal
> 
> Hi.
> 
> AFAIU, since base-passwd 3.5.30, new in Jessie, update-passwd (triggered by 
> dpkg-configuration of base-passwd) may update (silently ? depening on dpkg 
> priority) the password of users like 'backup' to /usr/sbin/nologin (instead 
> of /bin/sh for instance, previously).
> 
> This is likely to break remote backups performed over SSH for instance (see 
> #737735 for instance).
> 
> While securing such accounts connectivity is great, I fear the release notes 
> for Jessie lack a mention of this fact.
> 
> Of course, backup user may not be the only one affected, but this is at least 
> one case that may occur, hence worth documenting, IMHO.
> 
> Thanks in advance.
> 
> Best regards,
> 
> [...]

Hi Olivier,

Thanks for reporting this issue.

I have made an initial draft (please see attached file).  It could
certainly use a review and possibly a different approach / angle.
  I am also wondering if you know how to "preseed" this, so an admin
with "high" (or above) debconf priority could have this handled
automatically on upgrades without changing debconf priority?

Thanks,
~Niels



diff --git a/en/issues.dbk b/en/issues.dbk
index ca473ee..8b57fc4 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -327,4 +327,80 @@ Pin-Priority: -1
     the “settings” icon.
   </para>
 </section>
+
+<section id="base-passwd-hardening">
+  <!-- Wheezy to Jessie -->
+  <title>Changes to default shell of system users provided by
+  <systemitem role="package">base-passwd</systemitem></title>
+  <para>
+    The upgrade of <systemitem role="package">base-passwd</systemitem>
+    package will reset the shell of system users that is provides to
+    the "nologin" shell.  This includes the following users:
+  </para>
+  <itemizedlist>
+    <listitem>
+      <para>daemon</para>
+    </listitem>
+    <listitem>
+      <para>bin</para>
+    </listitem>
+    <listitem>
+      <para>sys</para>
+    </listitem>
+    <listitem>
+      <para>games</para>
+    </listitem>
+    <listitem>
+      <para>man</para>
+    </listitem>
+    <listitem>
+      <para>lp</para>
+    </listitem>
+    <listitem>
+      <para>mail</para>
+    </listitem>
+    <listitem>
+      <para>news</para>
+    </listitem>
+    <listitem>
+      <para>uucp</para>
+    </listitem>
+    <listitem>
+      <para>proxy</para>
+    </listitem>
+    <listitem>
+      <para>www-data</para>
+    </listitem>
+    <listitem>
+      <para>backup</para>
+    </listitem>
+    <listitem>
+      <para>list</para>
+    </listitem>
+    <listitem>
+      <para>irc</para>
+    </listitem>
+    <listitem>
+      <para>gnats</para>
+    </listitem>
+    <listitem>
+      <para>nobody</para>
+    </listitem>
+  </itemizedlist>
+  <para>
+    If your local setup requires that any of these users have a shell,
+    you should say no to migrating or migrate and then change the shell
+    of the necessary users.  Notable examples includes local backups
+    done via the "backup" user with an "ssh-key" authentication.
+  </para>
+  <caution>
+    <para>
+      The migration will happen automatically if your debconf question
+      priorty is "high" or above.
+    </para>
+  </caution>
+  <para>
+    a<!-- Pre-seeding base-passwd/system/<user>/shell/<old>/<new> -->
+  </para>
+</section>
 </chapter>