On Sat, Sep 19, 2009 at 12:35:44PM +0430, Mohsen Alimomeni wrote:
> This is the exact scenario:
> When I use the command "ssh admin@host", the user is authenticated by
> a custom Pam module, and it's given the UID, GID and shell from a
> custom nss module. The shell is also a custom CLI, which needs the
> username - not the UID - to operate well.
This is a fine example of why usernames and UIDs should always have a
1-to-1 correspondence. As far as the OS is concerned, the UID is what
identifies a user uniquely, not its username. Also, you've reduced
the accountability of your system: for example, if user "foo" and
user "bar" both have UID 1234, then when bar creates a file, it will
appear to have been created by foo (assuming foo appears first in
/etc/passwd, or is returned first in whatever mechanism your system
uses to look up UIDs and usernames). Likewise, when user bar does
something that normally gets logged, it will be logged under user foo
(given the same conditions).
This is, in general, bad. You likely may encounter other things which
break subtlely, or not so subtlely. I don't know what problem you're
trying to solve by doing this, but there's probably a better way.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D
> This is the exact scenario:
> When I use the command "ssh admin@host", the user is authenticated by
> a custom Pam module, and it's given the UID, GID and shell from a
> custom nss module. The shell is also a custom CLI, which needs the
> username - not the UID - to operate well.
This is a fine example of why usernames and UIDs should always have a
1-to-1 correspondence. As far as the OS is concerned, the UID is what
identifies a user uniquely, not its username. Also, you've reduced
the accountability of your system: for example, if user "foo" and
user "bar" both have UID 1234, then when bar creates a file, it will
appear to have been created by foo (assuming foo appears first in
/etc/passwd, or is returned first in whatever mechanism your system
uses to look up UIDs and usernames). Likewise, when user bar does
something that normally gets logged, it will be logged under user foo
(given the same conditions).
This is, in general, bad. You likely may encounter other things which
break subtlely, or not so subtlely. I don't know what problem you're
trying to solve by doing this, but there's probably a better way.
--
Derek D. Martin
http://www.pizzashack.org/
GPG Key ID: 0x81CFE75D
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFKuTdIdjdlQoHP510RAlxZAJ98n4ape8/VuqlA4IlSjT7M1mxNKQCfQYkj
TzFhuUzdL75bKU/WIDsC4+o=
=HNUK
-----END PGP SIGNATURE-----
[ reply ]