Your message dated Wed, 27 Sep 2023 08:37:42 +0000
with message-id <e1qlq3c-00cybk...@fasolo.debian.org>
and subject line Bug#1003192: fixed in debian-edu-config 2.12.37
has caused the Debian Bug report #1003192,
regarding debian-edu-config: /etc/login.defs not adjusted for Debian Edu like
/etc/adduser.conf
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1003192: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003192
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: debian-edu-config
Version: 2.12.5
Severity: normal
Hi,
the Debian Edu site setup configures adduser to start adding local
non-system users with UID number 500.
UID number 1000 and upwards is/are used for LDAP users.
In a standard Debian system, local user ID numbers normally start at
1000, so /etc/adduser.conf is tweaked accordingly on all Debian Edu
setups:
# cat /etc/adduser.conf | grep 500
FIRST_UID=500
FIRST_GID=500
However, when I look at UID and GID ranges in /etc/login.defs, I see
this on a fresh Debian Edu 11 installation:
# cat /etc/login.defs | grep UID
UID_MIN 1000
UID_MAX 60000
#SYS_UID_MIN 100
#SYS_UID_MAX 999
# cat /etc/login.defs | grep GID
GID_MIN 1000
GID_MAX 60000
#SYS_GID_MIN 100
#SYS_GID_MAX 999
To my understanding, with the deviating FIRST_UID/FIRST_GID settings
in Debian Edu and with LDAP users starting at UID number (and GID
number) 1000, the /etc/login.defs file should be adjusted to the
following values, probably via cfengine3:
# cat /etc/login.defs | grep UID
UID_MIN 500
UID_MAX 999
SYS_UID_MIN 100
SYS_UID_MAX 499
# cat /etc/login.defs | grep GID
GID_MIN 500
GID_MAX 999
SYS_GID_MIN 100
SYS_GID_MAX 499
Interestingly, systemd adds this to /etc/passwd and /etc/group:
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
systemd-coredump:x:999:
So, question is where in the installation process we need to inject
the above change to enforce systemd-coredump:499:499:... Or if we can
simply ignore that and configure /etc/login.defs for all following
local user / local system user acconts.
I stumbled over this while looking and LTSP's init process and esp.
the pwmmerge tool which relies on correct settings in /etc/login.defs
on the LTSP client.
Comments? Feedback?
Mike
--
DAS-NETZWERKTEAM
c\o Technik- und Ökologiezentrum Eckernförde
Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde
mobile: +49 (1520) 1976 148
landline: +49 (4351) 850 8940
GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31
mail: mike.gabr...@das-netzwerkteam.de, http://das-netzwerkteam.de
pgp0J4vWg7D1Y.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.12.37
Done: Mike Gabriel <sunwea...@debian.org>
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1003...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Mike Gabriel <sunwea...@debian.org> (supplier of updated debian-edu-config
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Wed, 27 Sep 2023 09:57:06 +0200
Source: debian-edu-config
Architecture: source
Version: 2.12.37
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Mike Gabriel <sunwea...@debian.org>
Closes: 1003192 1003728 1010159
Changes:
debian-edu-config (2.12.37) unstable; urgency=medium
.
[ Guido Berhoerster ]
* Discard excessive nullmailer logging.
Filter out log messages coming from a client running nullmailer since it is
very verbose and can easily fill up the filesystem under /var/log.
(Closes: #1003728).
* ldap-createuser-krb5: fix password prompt.
* Disable cfengine3 systemd service.
Disabling only cf-execd in 75b4e3f7 (see #1041323) did not work as it gets
pulled in as a dependency of cfengine3. Thus disable the cfengine3 service
instead.
* Rewrite testsuite/filesystems, add exception for /boot
Rewrite for clarity and robustness. Add exception for /boot which may use
ext2.
* testsuite/ldap-{server,client}: Fix invocation of ldapsearch.
The -h command line option has been removed, ldapsearch now only accepts a
LDAP URI via the -H option.
Also do not use the deprecated egrep and get rid of unnecessary wc.
Use dig and awk instead of host and interpret the SRV record properly.
* testsuite/ldap-client: Improve error message on PAM modules.
* Fix remaining invocations of ldapsearch.
* Disable using the LDAP PAM module (we use pam_krb5.so instead).
* setup-freeradius-server: Set commonName and subjectAltNames on the server
cert.
(Closes: #1010159).
* setup-freeradius-server: Improve robustness
Use update-ini-file for OpenSSL config files.
Use more precise sed substitutions which do not rely on example values.
Increase password length from 8 to 16 characters.
* Change minimum UID/GID for LDAP user to 2000 (Closes: #1003192)
With this change local user accounts now use the UID/GID range 1000-1999
instead of 500-999 whereas LDAP user accounts use 2000-59999 instead of
1000-59999. This is to reserve UID/GID 0-999 for system users which is the
default in Debian and not conforming to it is increasingly problematic as
packages are beginning to use systemd-sysusers for creating system user
accounts which does not obey /etc/addusers.conf or /etc/login.defs by
default.
The first user account created during installation now has UID/GID 2000
instead
of 1000.
Configure gosa and adjust ldap-createuser-krb5 accordingly.
Checksums-Sha1:
b2aed5584e2046efa8ae90f7c0ac0324f8d5e264 2017 debian-edu-config_2.12.37.dsc
5fbe3ae49c4192a5a8ca9855bc131b9ad1554448 358716
debian-edu-config_2.12.37.tar.xz
8339b9c11d48a3efe2dc5108b030ef0e627cef4b 6733
debian-edu-config_2.12.37_source.buildinfo
Checksums-Sha256:
89e1cc143542170a2cfb9b9c28efc0349dff0f1302751c537e322943487f4945 2017
debian-edu-config_2.12.37.dsc
6a0083dba3249f99e16ad42dc1231d39d746405febcdd2c2d9cad84821967216 358716
debian-edu-config_2.12.37.tar.xz
793fc1e6a4fb52ddd871046f688b6c5864b51087105d74e12036b34f01a5a479 6733
debian-edu-config_2.12.37_source.buildinfo
Files:
629a246d67534fd26ab957a7fe595cf2 2017 misc optional
debian-edu-config_2.12.37.dsc
66f896135003612b3181653f25ed9085 358716 misc optional
debian-edu-config_2.12.37.tar.xz
a276140da55dbf315844ba3feb29d117 6733 misc optional
debian-edu-config_2.12.37_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJJBAEBCAAzFiEEm/uu6GwKpf+/IgeCmvRrMCV3GzEFAmUT4HIVHHN1bndlYXZl
ckBkZWJpYW4ub3JnAAoJEJr0azAldxsxgscP/09Hzar4xOA7XTDP8he6JuLhPhaU
VgULaiwOrByuwcFf/sLC1rMMjGc1qqA0puSNCOWnSwmEFze82zaf7LYeShGHyw9U
tCsfdgSXzbvfkN117dYNy+6Rks3domRftzh5ijHD9xvmuPjeWQ8zhU3jlmBtfbDZ
n5W6bE7zmwKY1aVKoD2rpR0Vpz1uIxpUmKBUf3UDO+YQl/sOvhA5kXEo2KVVbJ/z
xsM1ygqXDcuWV/BuWk0uf54F101pR/RVO5vLjzS34n6G5t0aZuQhYFh7ICMgNBzA
KWRwzG/o3JRTFxnzd7lPzkQsotPSQXCxrY88IOx5fkw+fM1/7N+VmApnsK+H3D/w
vA+7rTwpKqXat816aGcpXK3wOYVxR0BnM38eW/6guHF8nEvIgH3n54Ux+7QBuKR3
5G8xqKRUKRAIywclRDtFTr1SbNBzmgAhZ0l6IzO3UUVvlpcz1sPSju4oLNxv7Mgz
vCr03cOZKi3vk6PmBspH4kVIDghmUiPt1NVsZOsdC0oEICxTW35z+YSlUoAw2uGp
MPF0OhuySqYZEcGn71ThW9vJGLubv+6hs6qxqX919PfJRcWovh7I5FlstmqYFVNi
qTzhWvJowe086DkfKa5r5NS//mOguX1C/VZ/KTQWvQ2i+IwxkaSgBUi2Aeg/JAX8
ngbKQ8289o4/35Uh
=LSZJ
-----END PGP SIGNATURE-----
--- End Message ---
