# # Description: Disallow users below the minimal system UID to login. # Ubuntu: https://bugs.launchpad.net/bugs/484317 # diff -Nur -x '*.orig' -x '*~' gdm-2.28.1/daemon/gdm-session-worker.c gdm-2.28.1.new/daemon/gdm-session-worker.c --- gdm-2.28.1/daemon/gdm-session-worker.c 2009-10-19 23:12:45.000000000 +0100 +++ gdm-2.28.1.new/daemon/gdm-session-worker.c 2009-12-27 15:59:13.000000000 +0000 @@ -91,6 +91,35 @@ #define MAX_FILE_SIZE 65536 +#ifdef __sun +#define DEFAULT_MINIMAL_UID 100 +#else +#define DEFAULT_MINIMAL_UID 500 +#endif + +#define DEFAULT_EXCLUDE { "bin", \ + "root", \ + "daemon", \ + "adm", \ + "lp", \ + "sync", \ + "shutdown", \ + "halt", \ + "mail", \ + "news", \ + "uucp", \ + "operator", \ + "nobody", \ + "nobody4", \ + "noaccess", \ + GDM_USERNAME, \ + "postgres", \ + "pvm", \ + "rpm", \ + "nfsnobody", \ + "pcap", \ + NULL } + enum { GDM_SESSION_WORKER_STATE_NONE = 0, GDM_SESSION_WORKER_STATE_SETUP_COMPLETE, @@ -131,6 +160,7 @@ char **arguments; GHashTable *environment; + GHashTable *exclusions; guint32 cancelled : 1; guint32 timed_out : 1; guint state_change_idle_id; @@ -1670,6 +1700,48 @@ goto out; } + /* Skip users below MinimalUID... */ + if (uid < DEFAULT_MINIMAL_UID) { + error_code = PAM_AUTH_ERR; + g_set_error (error, + GDM_SESSION_WORKER_ERROR, + GDM_SESSION_WORKER_ERROR_GIVING_CREDENTIALS, + uid == 0 ? + "The system administrator is not allowed to login from this screen" : + "The user %s is not allowed to login from this screen", worker->priv->username); + goto out; + } + + /* ...And users w/ invalid shells... */ + if (shell == NULL + || strcmp (shell, "/sbin/nologin") == 0 + || strcmp (shell, "/bin/false") == 0) { + g_debug ("GdmSessionWorker: skipping user with bad shell: %s", worker->priv->username); + + error_code = PAM_AUTH_ERR; + g_set_error (error, + GDM_SESSION_WORKER_ERROR, + GDM_SESSION_WORKER_ERROR_GIVING_CREDENTIALS, + uid == 0 ? + "The system administrator is not allowed to login from this screen" : + "The user %s is not allowed to login from this screen", worker->priv->username); + goto out; + } + + /* ...And explicitly excluded users */ + if (g_hash_table_lookup (worker->priv->exclusions, worker->priv->username)) { + g_debug ("GdmSessionWorker: explicitly skipping user: %s", worker->priv->username); + + error_code = PAM_AUTH_ERR; + g_set_error (error, + GDM_SESSION_WORKER_ERROR, + GDM_SESSION_WORKER_ERROR_GIVING_CREDENTIALS, + uid == 0 ? + "The system administrator is not allowed to login from this screen" : + "The user %s is not allowed to login from this screen", worker->priv->username); + goto out; + } + gdm_session_worker_update_environment_from_passwd_info (worker, uid, gid, @@ -2912,12 +2984,26 @@ static void gdm_session_worker_init (GdmSessionWorker *worker) { + const char *exclude_default[] = DEFAULT_EXCLUDE; + int i; worker->priv = GDM_SESSION_WORKER_GET_PRIVATE (worker); worker->priv->environment = g_hash_table_new_full (g_str_hash, g_str_equal, (GDestroyNotify) g_free, (GDestroyNotify) g_free); + + /* exclusions */ + worker->priv->exclusions = g_hash_table_new_full (g_str_hash, + g_str_equal, + g_free, + NULL); + for (i = 0; exclude_default[i] != NULL; i++) { + g_hash_table_insert (worker->priv->exclusions, + g_strdup (exclude_default [i]), + GUINT_TO_POINTER (TRUE)); + } + } static void