[Savane-dev] Bad shell account deletion assumption

Fri, 15 Oct 2004 18:34:02 +0200 

I recently installed Savane for use on an internal project. After having things 
running on a test machine I installed on an established machine. Things were 
running smoothly until we started adding users. Then user home directories and 
all their contents started disappearing.

Some users happened to register close to when the sv_groups and sv_users script 
were to be run by cron. In sv_users we find this bit of code:

my @to_be_removed;
foreach my $user (@well_known) {
    # First test: looks for the typical case when someone is no
    # longer member of any project: we just list
    # Second test: looks for the marked as D users
    if (!exists($db_user_group{$user}) || $db_user{$user}->[5] eq 'D') {
       push(@to_be_removed, $user);
    }
}

Now, what happened is that we had established users on the system with 
established home directories from before the installation of Savane. As an 
internal machine I wasn't too worried about people having /bin/bash shell 
access. Also, the new user page says to use an existing account name if you 
have one when you register. So people used their accounts; why duplicate them?

So, they register, don't join an established group fast enough, and this bit of 
code sees that the user is in @well_known since they exist both in /etc/passwd 
from their preexisting account as well as in the database because they just 
joined up. It also sees that they don't belong to a group and it adds them to 
@to_be_removed. Then the script proceeds to obliterate their home directory, 
login, etc. Yes, we thankfully had backups.

This behavior, however, seems to be based on a rather bad assumption. There may 
be cases where users have business being local users even if they don't have an 
active project. Maybe you want the system to shoot an email off to an 
administrator, or maybe the user should just be stripped of all Savane specific 
groups on the filesystem. Maybe you really like the way it is and just want to 
put a big warning in the INSTALL.verbose file. Anything is better than leaving 
this assumption unchecked or unmentioned to those who don't fall into it.

Thank you,

Johnathan Gohde

Reply via email to