Page MenuHomePhabricator
Create Task
Maniphest T131408

Shell user name "shadow" is not blocked
Closed, ResolvedPublic
Actions

Description

The user Rdtf13191994 has registered with the shell user name "shadow":

scfc@tools-bastion-05:~$ ldaplist -l passwd shadow

dn: uid=shadow,ou=people,dc=wikimedia,dc=org
        cn: Rdtf13191994
        objectClass: inetOrgPerson
        objectClass: person
        objectClass: ldapPublicKey
        objectClass: posixAccount
        objectClass: shadowAccount
        loginShell: /bin/bash
        uidNumber: 14500
        gidNumber: 500
        sn: Rdtf13191994
        homeDirectory: /home/shadow
        mail: lastone.0019@gmail.com
        uid: shadow
scfc@tools-bastion-05:~$

On Linux, there is a system group named "shadow", but no system user with that name. Nevertheless, I don't want to grant that account access to Labs without some more pairs of eyes and/or that shell user name should be blacklisted and the existing user modified.

Related Objects
Search...

StatusSubtypeAssignedTask
 Resolvedbd808T170178 Update wikitech Titleblacklist
 Resolvedbd808T131408 Shell user name "shadow" is not blocked

Event Timeline

scfc created this task.Mar 31 2016, 10:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptMar 31 2016, 10:32 PM
scfc added a project: Cloud-Services.Mar 31 2016, 10:33 PM
scfc updated the task description. (Show Details)
scfc added subscribers: Andrew, chasemp, yuvipanda and 2 others.
MoritzMuehlenhoff added a comment.Apr 1 2016, 6:57 AM

I'm not aware of a scenario on Debian/Ubuntu where a user "shadow" should have elevated privileges, but I agree with Tim's notion to better play safe and rename the user.

Andrew added a comment.Apr 1 2016, 1:46 PM

I've added ^(User:)?shadow$ <newaccountonly> to the title blacklist on wikitech.

chasemp triaged this task as High priority.Apr 4 2016, 1:50 PM
Bawolff moved this task from Backlog / Other to Operational issues on the acl*security board.Jul 10 2016, 5:24 PM
yuvipanda unsubscribed.Jun 7 2017, 7:57 PM
chasemp mentioned this in T170178: Update wikitech Titleblacklist.Jul 10 2017, 5:52 PM
chasemp added a parent task: T170178: Update wikitech Titleblacklist.
bd808 subscribed.Jul 13 2017, 5:39 PM

uid=shadow has been renamed to uid=rdtf13191994 and a message left for the account owner.

bd808 closed this task as Resolved.Jul 13 2017, 5:41 PM
bd808 claimed this task.
bd808 added projects: LDAP, cloud-services-team (Kanban).
Restricted Application added a project: User-bd808. · View Herald TranscriptJul 13 2017, 5:41 PM
bd808 changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 13 2017, 5:41 PM
bd808 moved this task from Inbox to Done on the cloud-services-team (Kanban) board.Jul 13 2017, 8:12 PM
chasemp added a project: Security.Feb 10 2020, 10:55 PM
chasemp removed a project: acl*security.Feb 20 2020, 8:15 PM
bd808 moved this task from To Do to Done on the User-bd808 board.Jul 15 2020, 9:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits