Questions about users, UIDs, and root PATHs


(Eddie Atherton) #1

Still playing around with a virtual NS server and had a couple of questions about users.

It seems that using the UI to create a user, it automatically creates a group of the same name, but neither are added to the system files. It looks like all this achieves it to give the user access to e-mail, and looking through other options, Windows file share. However, you cannot log on to the server as that user, just via the UI.

Can I add users/groups directly to the system files, if I want to run any additional software that needs it’s own user. I tried this and it appears to work, but with a couple of strange side effects.

After banging my head against a door for 2 days trying to understand why my shorewall rules weren’t working in respect to one rule that uses the UID to mark packets, I ran an iptables trace. What this showed me was: UID=0, GID=507. The user in question has UID=506, GID=507. Any ideas why iptables isn’t seeing the UID.

One other anomaly I saw when running OpenVPN, is that if I add --up and --down scripts, these scripts are run as root, but the PATH they are passed is only: /usr/local/bin:/bin:/usr/bin which precludes any system commands from being used. I tried adding /sbin to the path, but even then I get a failure in shorewall that is run as a consequence of signal-event firewall adjust because it can’t find /sbin.

Cheers.


(Artem Fedai) #2

Wow , in brief pls what do you want to achieve ? Put enable ssh to logon on server!


(Eddie Atherton) #3

For which part. :smile:

For the users added via the UI, trying to natively log on or via ssh does the same thing. I get the Welcome to NethServer banner and nothing else. No prompt, nothing.

For the other parts, I’m trying to achieve what works correctly on my Zentyal server. IP packets have the correct UID which allows them to be routed based on my firewall rules.

For OpenVPN, I can issue command in /sbin, as that is not removed from PATH before the --up/down exits are called.

Cheers.


(Eddie Atherton) #4

Ha. Let me answer my own question about the iptables. I was running ping as the test, which I now find out is flagged as “setuid”, so it effectively runs as root, hence UID=0. Guess I need to find another program to test with.

But still interested if anyone has any ideas about the OpenVPN --up/down exit thingy.

Cheers.


(Artem Fedai) #5

Dig harder :wink:


(Filippo Carletti) #6

User details, tab Services, last option is Remote shell (SSH).


(Eddie Atherton) #7

@filippo_carletti

Thank you. :beers: