Users conflicts

[Mazamazine]

Users created under alternc are under /var/lib/extrausers/.
In nsswitch.conf though, it's looking first in /etc/{shadow,passwd,group}

The result of this is having conflicts between alternC users and existing users, leading to security problems.

Using alternc-php-fpm for instance, we can see processes under the right user but with the wrong uid.
Say you have your admin user in alternc (uid 2000) and an admin user with a uid 10440, here is what you get:
10440 5768 0.0 0.8 275752 18176 ? S 18:03 0:00 \_ php-fpm: pool admin

[camlafit]

Hello

Actually we don't have any check about uid or account name. If user are created after alternc installation we could get uid conflict between legacy user and alternc account.
I think the source problem is more on Alternc part. We should check if user is yet defined on standard account and check if uid is yet set.
Actually I've no correct idea to solve this.

[Mazamazine]

In the meantime, I opted for a check in /etc/passwd through a new function in m_nss.php (have to fix the preg_match though! Should be /^$login:/m so maza doesn't match mazamazine... => fixed by Koumbit@dd0e4a7)

Koumbit@73f5332#diff-7e21c6361f269dcf996896e26b6051018ff06f6f55ebd9a47665b18cdfc2e733

I had to add a hook prior to user creation in m_admin.php so that the account is not created if the user has been found in /etc/passwd.

Koumbit/AlternC@b2bd39d

To make this work, I also changed the apache template to add /etc/passwd in open_basdir.

Probably not the best way, but it fixes my problem for now.

[camlafit]

Hello

• Hook idea looks very nice
• AlternC should be directly manage users conflict , we can get some trouble with(out) altenrc-nss
• This patch don't take care about existing context, if an user is yet in conflict, will not be solved in this cas.

I think better solution should be check uid and username directly from AlternC