Page MenuHomePhabricator

Make all ldap users have a sane shell (/bin/bash)
Closed, ResolvedPublic

Description

It's currently sillyshell, which does not exist anymore. We override it to be /bin/bash everywhere in nss_ldap.conf and that means we can't actually set it to anything other than /bin/bash.

As of May 4th 2017:

$ ldapsearch -LLL -x -b 'ou=people,dc=wikimedia,dc=org' "(&(objectClass=person)(!(loginShell=/bin/bash)))" dn loginShell
dn: uid=river,ou=people,dc=wikimedia,dc=org
loginShell: /usr/bin/zsh

dn: uid=shinken,ou=people,dc=wikimedia,dc=org
loginShell: /bin/false
$
NOTE: in puppet we have an nslcd override to set /bin/bash
modules/ldap/templates/nslcd.conf.erb
<%- if @shell_override %>
map passwd loginshell "<%= @shell_override %>"
<%- elsif @realm == "labs" %>
map passwd loginshell "/bin/bash"
<%- end %>

Details

Related Gerrit Patches:
operations/puppet : productionnslcd: Remove Labs shell override
operations/puppet : productionadd-ldap-user: Don't use sillyshell, it's silly (and doesn't exist anymore)
operations/puppet : productionlabs: Don't override shell for all users
operations/mediawiki-config : masterMake wikitech default shell /bin/bash

Related Objects

Event Timeline

yuvipanda raised the priority of this task from to Normal.
yuvipanda updated the task description. (Show Details)
yuvipanda added subscribers: Unknown Object (MLST), scfc, greg and 6 others.

New users created by wikitech should also be set to /bin/bash rather than sillyshell

Change 184635 had a related patch set uploaded (by Yuvipanda):
Make wikitech default shell sillyshell

https://gerrit.wikimedia.org/r/184635

Patch-For-Review

demon added a subscriber: demon.Jan 13 2015, 3:09 PM

Sillyshell, for those unaware, was a dead-simple shell that wrapped svnserve & co. and we used to run it on the Subversion box. We committed using svn+ssh but didn't want to give people fully interactive shells.

Any remaining references to sillyshell should get cleaned up.

scfc added a comment.Jan 13 2015, 7:27 PM

See also T67591 (maybe duplicate). IIRC the two questions there were:

  1. Don't accidentally unlock the Subversion server for anyone with shell access.
  2. Don't accidentally lock the Subversion server for ops.
demon added a comment.Jan 13 2015, 7:35 PM
In T86668#974281, @scfc wrote:

See also T67591 (maybe duplicate). IIRC the two questions there were:

  1. Don't accidentally unlock the Subversion server for anyone with shell access.
  2. Don't accidentally lock the Subversion server for ops.
  1. Isn't a problem because the permissions on the repos are all read-only, regardless of who you are
scfc added a comment.Jan 13 2015, 9:25 PM
In T86668#974333, @Chad wrote:
In T86668#974281, @scfc wrote:

See also T67591 (maybe duplicate). IIRC the two questions there were:

  1. Don't accidentally unlock the Subversion server for anyone with shell access.
  2. Don't accidentally lock the Subversion server for ops.
  1. Isn't a problem because the permissions on the repos are all read-only, regardless of who you are

Yes, but if previously the server was set up with the mindset that non-trusted users can only execute svnserve -t, allowing users full shell might open up new attack vectors. I don't know if the Subversion server is treated security-wise in the same way as a Labs instance.

Change 184635 merged by jenkins-bot:
Make wikitech default shell /bin/bash

https://gerrit.wikimedia.org/r/184635

antimony, our svn server, doesn't actually seem to have LDAP configured, or ssh accessible from outside the cluster.

Change 185127 had a related patch set uploaded (by Yuvipanda):
labs: Don't override shell for all users

https://gerrit.wikimedia.org/r/185127

Patch-For-Review

Change 185127 merged by Faidon Liambotis:
labs: Don't override shell for all users

https://gerrit.wikimedia.org/r/185127

I suspect https://gerrit.wikimedia.org/r/#/c/185127/ changed the mwdeploy user homedir as a side effect, but that might be unrelated.

Beta cluster scap is broken: T86901
I have filled a bug to change mwdeploy homeDirectory in LDAP T86903

yuvipanda closed this task as Resolved.Jan 16 2015, 10:35 AM
yuvipanda claimed this task.

They have a sane shell now! \o/

yuvipanda reopened this task as Open.Oct 6 2015, 5:04 AM

lol, apparently there is:

<% if @realm == "labs" %>map passwd loginshell "/bin/bash"<% end %>

in nslcd.conf.erb which I totally missed...

Restricted Application added subscribers: Luke081515, Matanya. · View Herald TranscriptOct 6 2015, 5:04 AM
hashar closed this task as Resolved.Nov 2 2015, 9:18 PM

Seems this one has been fixed ages ago.

yuvipanda reopened this task as Open.Nov 2 2015, 10:20 PM

No I just reopened it see T86668#1704524

yuvipanda removed yuvipanda as the assignee of this task.Nov 13 2015, 7:03 AM
fgiunchedi added a subscriber: fgiunchedi.
Restricted Application added a project: Cloud-Services. · View Herald TranscriptDec 1 2015, 11:38 AM
hashar removed a subscriber: hashar.Jan 7 2016, 10:50 AM

Change 299812 had a related patch set uploaded (by Chad):
add-ldap-user: Don't use sillyshell, it's silly (and doesn't exist anymore)

https://gerrit.wikimedia.org/r/299812

Change 299812 merged by Yuvipanda:
add-ldap-user: Don't use sillyshell, it's silly (and doesn't exist anymore)

https://gerrit.wikimedia.org/r/299812

AlexMonk-WMF added a subscriber: AlexMonk-WMF.

Was this completed?

krenair@bastion-01:~$ ldapsearch -x "(&(objectClass=novauser)(!(loginShell=/bin/bash)))"
# extended LDIF
#
# LDAPv3
# base <dc=wikimedia,dc=org> (default) with scope subtree
# filter: (&(objectClass=novauser)(!(loginShell=/bin/bash)))
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1
krenair@bastion-01:~$ ldapsearch -x "(&(objectClass=novauser)(loginShell=/bin/bash))" | tail -n 2
# numResponses: 572
# numEntries: 571

Ugh, wrong objectClass:

krenair@bastion-01:~$ ldapsearch -x "(&(objectClass=person)(!(loginShell=/bin/bash)))" | grep dn: | grep ou=people | grep -v servicegroups | grep -v "tools\."
dn: uid=river,ou=people,dc=wikimedia,dc=org
dn: uid=shinken,ou=people,dc=wikimedia,dc=org
krenair@bastion-01:~$ ldapsearch -x uid=shinken | grep loginShell
loginShell: /bin/false
krenair@bastion-01:~$ ldapsearch -x uid=river | grep loginShell
loginShell: /usr/bin/zsh
hashar updated the task description. (Show Details)May 4 2017, 8:01 AM
hashar added a subscriber: Reedy.

There are only two account in LDAP with shells not being /bin/bash:

$ ldapsearch -LLL -x -b 'ou=people,dc=wikimedia,dc=org' "(&(objectClass=person)(!(loginShell=/bin/bash)))" dn loginShell
dn: uid=river,ou=people,dc=wikimedia,dc=org
loginShell: /usr/bin/zsh

dn: uid=shinken,ou=people,dc=wikimedia,dc=org
loginShell: /bin/false

river is no more active iirc and shinken I am not sure why would need false. I guess LDAP-Access-Requests can change the shell for both of those users to /bin/bash.

Most probably we can then remove the nslcd.conf override in modules/ldap/templates/nslcd.conf.erb:

<%- if @shell_override %>
map passwd loginshell "<%= @shell_override %>"
<%- elsif @realm == "labs" %>
map passwd loginshell "/bin/bash"
<%- end %>

And the task would be completed.

bd808 added a subscriber: hashar.

There are only two account in LDAP with shells not being /bin/bash:

$ ldapsearch -LLL -x -b 'ou=people,dc=wikimedia,dc=org' "(&(objectClass=person)(!(loginShell=/bin/bash)))" dn loginShell
dn: uid=river,ou=people,dc=wikimedia,dc=org
loginShell: /usr/bin/zsh
dn: uid=shinken,ou=people,dc=wikimedia,dc=org
loginShell: /bin/false

This result ignores the 970 posixaccount objects under ou=people,ou=servicegroups,dc=wikimedia,dc=org that use /usr/local/bin/sillyshell or /bin/false:

$ ldapsearch -xLLL -E pr=40000/noprompt -b 'dc=wikimedia,dc=org' '(&(objectClass=posixaccount)(!(loginShell=/bin/bash)))' loginShell |grep loginShell|sort|uniq -c
      2 loginShell: /bin/false
      1 loginShell: /usr/bin/zsh
    969 loginShell: /usr/local/bin/sillyshell

Most of these (soon to be all I think based on recent email threads) are Tool Labs "tool" shared accounts. These are the users that actually run jobs on the job grid and the accounts that become $TOOLNAME sudo's the calling user to. They will all need to be fixed before the remapping is removed from nslcd.conf in Tool Labs. I've made a note in T149458: Manage shared tool accounts via Striker that I should not propagate the /usr/local/bin/sillyshell to new tools accounts. There is probably something we can change in MediaWiki-extensions-OpenStackManager to stop that sooner as well.

I am not sure why would need false.

This is a service account that is in LDAP for $REASONS. I haven't bothered to track down what those reasons are. Having it's shell set to /bin/false is perfectly fine though and will do what it is intended to do (stop interactive logins as this user) once the hack in our config is removed. For that matter its fine for river to have zsh as a login shell. We just need to have all accounts have valid login shells so we can remove the hack in nslcd.conf that replaces the loginshell reported by LDAP with /bin/bash unconditionally.

hashar added a comment.May 9 2017, 3:45 PM

I have excluded the servicegroups based on an earlier comment.

/bin/false looks legit indeed. Thanks.

I have dig in puppet history about add-ldap-user:

The script defaulted to sillyshell. That got switched to default to bash ( 601cb5464fd6f3c42840e18fd17e3755ae9fbf0f / T86668 ).

c3457c9d6b removed the script entirely since You create ldap users with wikitech now.

But I have not been able to find any reference to sillyshell :(

hashar added a comment.May 9 2017, 3:49 PM

And OpenStackManager uses /bin/bash 6360ed954ee5488d0a4be3bcc156bdc0bc7543f4

-$wgOpenStackManagerLDAPDefaultShell = '/usr/local/bin/sillyshell';
+$wgOpenStackManagerLDAPDefaultShell = '/bin/bash';

So most probably we just have to do an LDAP search and replace for the service groups?

demon added a comment.May 9 2017, 4:28 PM

Sillyshell entries can probably be replaced with /bin/bash, it doesn't exist anymore. It was a dummy wrapper that we used for SVN that limited what things a user could do over SSH, namely just SVN-related stuff.

The summary is roughly:

Only service groups still have sillyshell as a login. OpenStackManager is no more adding it and defaults to bash.

Account left to migrate are the various service groups (969 of them):

bastion.wmflabs.org$ ldapsearch -xLLL -E pr=40000/noprompt -b 'dc=wikimedia,dc=org' '(&(objectClass=posixaccount)(!(loginShell=/bin/bash)))' loginShell |grep loginShell|sort|uniq -c
      3 loginShell: /bin/false
      1 loginShell: /usr/bin/zsh
    969 loginShell: /usr/local/bin/sillyshell
bastion.wmflabs.org$

Is it fine to switch the to /bin/bash and who can handle the LDAP queries to rewrite them?

Mentioned in SAL (#wikimedia-operations) [2017-06-26T22:49:28Z] <bd808> Updated LDAP loginShell to /bin/bash for 969 accounts that were still set to /usr/local/bin/sillyshell (T86668)

The sillyshell entries have been cleaned up.

$ ldapsearch -xLLL -E pr=40000/noprompt -b 'dc=wikimedia,dc=org' '(&(objectClass=posixaccount)(!(loginShell=/bin/bash)))' loginShell |grep loginShell|sort|uniq -c
      3 loginShell: /bin/false
      2 loginShell: /usr/bin/zsh

Change 361595 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[operations/puppet@production] nslcd: Remove Labs shell override

https://gerrit.wikimedia.org/r/361595

hashar moved this task from Triage to In Progress on the Cloud-Services board.Jun 27 2017, 8:27 AM

Just for the historical record, here's what I did to edit the loginShell entries. Commands were run from labcontrol1001.wikimedia.org:

$ for dn in $(ldapsearch -xLLL -E pr=40000/noprompt -o ldif-wrap=no -b 'dc=wikimedia,dc=org' '(&(objectClass=posixaccount)(loginShell=/bin/zsh))' dn|grep dn:|awk '{print $2}'); do
(
echo dn: $dn
echo changetype: modify
echo replace: loginShell
echo loginShell: /bin/bash
echo
) >> T86668-fix-shells.ldif
done
$ view T86668-fix-shells.ldif
$ ldapmodify -x -D 'uid=novaadmin,ou=people,dc=wikimedia,dc=org' -W -f T86668-fix-shells.ldif
Enter LDAP Password:

The use of -o ldif-wrap=no in the initial search is important. There are many dn values that are rather long and would otherwise be wrapped to multiple lines that break the grep + awk extraction. In this particular case, I don't think the use of -E pr=40000/noprompt to enable paging by the client was strictly necessary, but it doesn't hurt anything.

Change 361595 merged by Andrew Bogott:
[operations/puppet@production] nslcd: Remove Labs shell override

https://gerrit.wikimedia.org/r/361595

bd808 closed this task as Resolved.Jun 28 2017, 11:01 PM
bd808 claimed this task.
Restricted Application added a project: User-bd808. · View Herald TranscriptJun 28 2017, 11:01 PM