Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1283675
Description of problem: When ipa-server-install is run, records kdcproxy:x:388:388:IPA KDC Proxy User:/var/lib/kdcproxy:/sbin/nologin kdcproxy:x:388: get created in /etc/passwd and /etc/group. It'd be useful if the user was created at rpm installation time, per https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Dynamic_allocation or even using soft static allocation. On every system the uid/gid might be different, leading to potential leak when for example in containers data volumes get used with different images. In understand the kdcproxy user currently does not own any files besides its home directory /var/lib/kdcproxy but it might change (the wsgi application can start storing cache files, etc). Version-Release number of selected component (if applicable): # rpm -qf /usr/lib/python2.7/site-packages/ipaserver/install/httpinstance.py ipa-server-4.2.0-15.el7.x86_64 How reproducible: Deterministic. Steps to Reproduce: 1. Check /etc/passwd. 2. Run ipa-server-install. 3. Check /etc/passwd. Actual results: New record was created. Expected results: No new record was created because it was already there. Additional info:
Christian: FPC is very conservative and doesn't like to pre-allocate uid/gid unless we have a very good argument. kdcproxy doesn't own any files (except homedir). file ownership is FPC's main argument for preallocated uid/gid. https://fedoraproject.org/wiki/Packaging:UsersAndGroups#Soft_static_allocation
Metadata Update from @pvoborni: - Issue assigned to someone - Issue set to the milestone: Future Releases
kdcproxy user and group are created at RPM installation time. The useradd/groupadd calls are protected with a guard. This makes it possible to create the user and group before the package is installed.
I see very little chance to get pre-allocated UID and GID from FPC. The service does not require a fixed UID. It does neither own any files nor does any other service use the kdcproxy UID/GID to authenticate or identify the process. The kdcproxy user was added to separate privileges.
Metadata Update from @cheimes: - Issue close_status updated to: None
Close as the BZ was closed.
Metadata Update from @pcech: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.