Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

System UID range increased from 500 to 1000 in RHEL/CentOS 7 #194

Open
martinbydefault opened this issue Sep 26, 2018 · 2 comments
Open

System UID range increased from 500 to 1000 in RHEL/CentOS 7 #194

martinbydefault opened this issue Sep 26, 2018 · 2 comments
Labels
bug

Comments

@martinbydefault
Copy link
Contributor

martinbydefault commented Sep 26, 2018
edited

System user UID range was extended from 0-499 to 0-999 (https://access.redhat.com/articles/1190233).

In the template rhel_system_auth.j2 there is a 500 harcoded.
I think there should be a variable with the max system UID number (500 or 1000, depending the OS version) and use that variable instead of the 500 hardcoded here:
https://github.com/dev-sec/ansible-os-hardening/blob/44b32922ffd4372fabdef56c958448ea555ed9c3/templates/etc/pam.d/rhel_system_auth.j2#L9 and here: https://github.com/dev-sec/ansible-os-hardening/blob/44b32922ffd4372fabdef56c958448ea555ed9c3/templates/etc/pam.d/rhel_system_auth.j2#L17

Or maybe don't define a new variable and just use os_auth_uid_min?

In both cases the variable must be defined in the OS specific version var file (Redhat-6 and Redhat-7) instead of the general (Redhat).

I can submit a PR with the changes once I get feedback from this.

CC @rndmh3ro
@rndmh3ro rndmh3ro added the bug label Oct 1, 2018
@rndmh3ro
Copy link
Member

rndmh3ro commented Oct 1, 2018

Hey @martinbydefault,
thanks for noticing that, you're completely right!

Or maybe don't define a new variable and just use os_auth_uid_min?

Yes, we should use that variable.

If you would open a PR that would be great!

@martinbydefault martinbydefault mentioned this issue Oct 1, 2018
Closed
@rndmh3ro rndmh3ro added this to Up for grabs in Hacktoberfest 2019 Oct 2, 2019
@rndmh3ro rndmh3ro removed this from Up for grabs in Hacktoberfest 2019 Oct 4, 2019
@pyllyukko
Copy link

How about reading it from /etc/login.defs (SYS_UID_MAX)?

@ljkimmel ljkimmel mentioned this issue Jan 20, 2020
Merged
@martinbydefault martinbydefault mentioned this issue May 14, 2020
Closed
rndmh3ro added a commit that referenced this issue Jul 24, 2020
@rndmh3ro
Merge pull request #194 from szEvEz/master
833a173 
set 'GSSAPIAuthentication yes' if variable 'ssh_gssapi_support' is set to 'true'
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#194 from szEvEz/master
20abf5e 
set 'GSSAPIAuthentication yes' if variable 'ssh_gssapi_support' is set to 'true'
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
3 participants
@pyllyukko @rndmh3ro @martinbydefault