From nobody@FreeBSD.org  Wed Jun  1 15:39:19 2011
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 1B099106566C
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  1 Jun 2011 15:39:19 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 0AF118FC14
	for <freebsd-gnats-submit@FreeBSD.org>; Wed,  1 Jun 2011 15:39:19 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p51FdHLJ084147
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 1 Jun 2011 15:39:17 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p51FdHEU084146;
	Wed, 1 Jun 2011 15:39:17 GMT
	(envelope-from nobody)
Message-Id: <201106011539.p51FdHEU084146@red.freebsd.org>
Date: Wed, 1 Jun 2011 15:39:17 GMT
From: Nicolas de Bari Embriz Garcia Rojas <nbari@sign.io>
To: freebsd-gnats-submit@FreeBSD.org
Subject: posible chsh bug on systems using nss_ldap/pam_ldap ends adding users to /etc/master.passwd
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         157500
>Category:       bin
>Synopsis:       posible chsh(1) bug on systems using nss_ldap/pam_ldap ends adding users to /etc/master.passwd
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Jun 01 15:40:09 UTC 2011
>Closed-Date:    
>Last-Modified:  Thu Jun 02 04:00:32 UTC 2011
>Originator:     Nicolas de Bari Embriz Garcia Rojas
>Release:        8.1-STABLE
>Organization:
>Environment:
FreeBSD sign.io 8.1-STABLE FreeBSD 8.1-STABLE #1: Sun Nov 21 16:09:52 CET 2010     root@sign.io:/usr/obj/usr/src/sys/SIGNIO  amd64
>Description:
I have a server using nss_ldap/pam_ldap (all users are stored on an ldap
directory) but I notice that  few users where available to change their
shell using the command chsh -s /bin/sh. 

In theory chsh like the passwd command should not operate on ldap and
just work for local users.

in fact the passwd command output this:
passwd: Sorry, `passwd' can only change passwords for local or NIS users.

when creating an account via web (www.sign.io - info stored on ldap not
localy and in a remote server) and after login for the first time to the
server via ssh, the user can execute the command chsh -s /bin/sh and
chsh will add the user to the /etc/passwd and /etc/master.passwd (this
should not happen) but seems like chsh is ignoring nsswitch.conf:

group: files ldap
hosts: files dns
networks: files
passwd: files ldap
shells: files
services: files
protocols: files
rpc: files

if the user change his password (not using the passwd command) using an alternate script like this  one:

---
#!/bin/sh

stty -echo
read -p "Old Password: " oldp; echo
read -p "New Password: " np1; echo
read -p "Retype New Password: " np2; echo
stty echo

if [ "$np1" != "$np2" ]; then
  echo "Passwords do not match."
  exit 1
fi

ldappasswd -h 172.16.13.1 -D uid="$USER",ou=people,dc=sign,dc=io\
  -w "$oldp" \
  -a "$oldp" \
  -s "$np1"
# http://www.freebsd.org/doc/en_US.ISO8859-1/articles/ldap-auth/article.html
---

The user can still login the the shell but if he want to change his
shell again, he has to use his previous password since a new record on
/etc/passwd and /etc/master.passwd has been created.

also the this new record does not respect the login.conf, since the entry
looks like this:

test4:$1$YAvOssdO$JjZcAPX/4QppDIPlS2P4s.:4658:4658::0:0:test:/home/users/t/e/s/test4:/bin/sh

where in theory they should have a hash beginning with $2 (since blf)
is specified on the login.conf

the current login.conf is like this:

default:\
  :passwd_format=blf:\
  :minpasswordlen=6:\
  :copyright=/etc/COPYRIGHT:\
  :welcome=/etc/welcome:\
  :setenv=MAIL=/var/mail/$,BLOCKSIZE=K,FTP_PASSIVE_MODE=YES:\
  :path=/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin ~/bin:\
  :nologin=/var/run/nologin:\
  :cputime=1h:\
  :datasize=10M:\
  :stacksize=2M:\
  :memorylocked=2M:\
  :memoryuse=8M:\
  :filesize=10M:\
  :coredumpsize=0:\
  :openfiles=50:\
  :maxproc=10:\
  :sbsize=unlimited:\
  :vmemoryuse:16M:\
  :priority=5:\
  :ignoretime@:\
  :requirehome=1:\
  :idletime=30:\
  :umask=077:



http://forums.freebsd.org/showthread.php?p=136224#post136224
>How-To-Repeat:
create an account via ldap not locally (live example on www.sign.io) 

login the the shell server that uses pam_ldap/nss_ldap (no local users
on /etc/master.passwd)  and execute the chsh -s /bin/sh.

chsh will ask for a password the one will be stored or used for creating
a new entry on /etc/passwd (later update will update /etc/mater.passwd)
(this should not happen)

>Fix:
unknown, maybe temporally disabling chsh 

>Release-Note:
>Audit-Trail:
>Unformatted:
