Page MenuHomePhabricator

Shell user name "shadow" is not blocked
Closed, ResolvedPublic


The user Rdtf13191994 has registered with the shell user name "shadow":

scfc@tools-bastion-05:~$ ldaplist -l passwd shadow

dn: uid=shadow,ou=people,dc=wikimedia,dc=org
        cn: Rdtf13191994
        objectClass: inetOrgPerson
        objectClass: person
        objectClass: ldapPublicKey
        objectClass: posixAccount
        objectClass: shadowAccount
        loginShell: /bin/bash
        uidNumber: 14500
        gidNumber: 500
        sn: Rdtf13191994
        homeDirectory: /home/shadow
        uid: shadow

On Linux, there is a system group named "shadow", but no system user with that name. Nevertheless, I don't want to grant that account access to Labs without some more pairs of eyes and/or that shell user name should be blacklisted and the existing user modified.

Event Timeline

I'm not aware of a scenario on Debian/Ubuntu where a user "shadow" should have elevated privileges, but I agree with Tim's notion to better play safe and rename the user.

I've added ^(User:)?shadow$ <newaccountonly> to the title blacklist on wikitech.

bd808 claimed this task.
bd808 changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 13 2017, 5:41 PM