Re: useradd question
On Monday, May 20, 2019 4:05:55 PM EDT Lenny Bruzenak wrote:
On 5/20/19 2:59 PM, Steve Grubb wrote:
> So...I went digging through the source code of useradd.c. In main is this
>
> comment:
> /*
>
> * Do the hard stuff:
> * - open the files,
> * - create the user entries,
> * - create the home directory,
> * - create user mail spool,
> * - flush nscd caches for passwd and group services,
> * - then close and update the files.
> */
>
> If you dig around, you'll see in the above process it calls usr_update().
> This is where the audit event is. The very next function call is
> close_files. This is where it actually writes to the files where it
> would be visible to auditd. So, it looks like auditing in shadow-utils
> is busted.
>
> I also see where its calling pam_tally2 which is deprecated for years. It
> should be calling faillock. I'll chat with upstream maintainers.
Thank you Steve, much appreciated! If they are able to provide a patch,
would you mind asking them to send me a link and I'll test it ASAP?
I think this is the right fix:
diff -urp shadow-4.6.orig/src/useradd.c shadow-4.6/src/useradd.c
--- shadow-4.6.orig/src/useradd.c 2019-05-21 08:26:12.533328554 -0400
+++ shadow-4.6/src/useradd.c 2019-05-22 12:21:46.305293997 -0400
@@ -1955,9 +1955,14 @@ static void usr_update (void)
#endif /* ENABLE_SUBIDS */
#ifdef WITH_AUDIT
+ /*
+ * Even though we have the ID of the user, we won't send it now
+ * because its not written to disk yet. After close_files it is
+ * and we can use the real ID thereafter.
+ */
audit_logger (AUDIT_ADD_USER, Prog,
"add-user",
- user_name, (unsigned int) user_id,
+ user_name, AUDIT_NO_ID,
SHADOW_AUDIT_SUCCESS);
#endif
/*