#5545 The kdcproxy user should be created in rpm installation time, and ideally with some soft static uid
Closed: wontfix 3 years ago by pcech. Opened 8 years ago by pvoborni.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1283675

Description of problem:

When ipa-server-install is run, records

  kdcproxy:x:388:388:IPA KDC Proxy User:/var/lib/kdcproxy:/sbin/nologin
  kdcproxy:x:388:

get created in /etc/passwd and /etc/group.

It'd be useful if the user was created at rpm installation time, per

  https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation

or even using soft static allocation.

On every system the uid/gid might be different, leading to potential leak when
for example in containers data volumes get used with different images.

In understand the kdcproxy user currently does not own any files besides its
home directory /var/lib/kdcproxy but it might change (the wsgi application can
start storing cache files, etc).

Version-Release number of selected component (if applicable):

#  rpm -qf /usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py
ipa-server-4.2.0-15.el7.x86_64

How reproducible:

Deterministic.

Steps to Reproduce:
1. Check /etc/passwd.
2. Run ipa-server-install.
3. Check /etc/passwd.

Actual results:

New record was created.

Expected results:

No new record was created because it was already there.

Additional info:

  • jan p.: we should have a general plan about such scenarios
  • mkosek: we have a plan that we will have a plan, in the future

Christian: FPC is very conservative and doesn't like to pre-allocate uid/gid unless we have a very good argument. kdcproxy doesn't own any files (except homedir). file ownership is FPC's main argument for preallocated uid/gid. https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation

Metadata Update from @pvoborni:
- Issue assigned to someone
- Issue set to the milestone: Future Releases

7 years ago

kdcproxy user and group are created at RPM installation time. The useradd/groupadd calls are protected with a guard. This makes it possible to create the user and group before the package is installed.

I see very little chance to get pre-allocated UID and GID from FPC. The service does not require a fixed UID. It does neither own any files nor does any other service use the kdcproxy UID/GID to authenticate or identify the process. The kdcproxy user was added to separate privileges.

Metadata Update from @cheimes:
- Issue close_status updated to: None

5 years ago

Close as the BZ was closed.

Metadata Update from @pcech:
- Issue close_status updated to: wontfix
- Issue status updated to: Closed (was: Open)

3 years ago

Login to comment on this ticket.

Metadata