Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"irc" user always changed after reboot #53

Closed
fitz123 opened this issue Nov 15, 2015 · 13 comments
Closed

"irc" user always changed after reboot #53

fitz123 opened this issue Nov 15, 2015 · 13 comments
Labels
bug help wanted

Comments

@fitz123
Copy link
Contributor

fitz123 commented Nov 15, 2015

Task: change system accounts not on the user provided ignore-list
always changes something for "irc" user after refoor

~$ cat /etc/*rel*
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.3 LTS"
NAME="Ubuntu"
VERSION="14.04.3 LTS, Trusty Tahr"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 14.04.3 LTS"
VERSION_ID="14.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"

with apt: update_cache=yes upgrade=dist

Cannot find what's the reason/
@rndmh3ro
Copy link
Member

By default we do not change a 'irc' user. Can you provide your playbook and the setting for
os_ignore_users?

The user-task removes the login shell and sets the password to '*'. You could check what changed after a reboot.

@fitz123
Copy link
Contributor Author

fitz123 commented Nov 17, 2015

I don't see any changes in /etc/passwd and in /etc/shadow
So have no idea where changes are?

in group_vars/all/all.yml I have os_ignore_users: ['secret-ninja','web-ninja','ninja','backup']
No other difference.
I have: irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin in /etc/passwd
and: irc:*:16652:0:99999:7:::

@rndmh3ro
Copy link
Member

User irc has UID 39, it's a system account.
The os-hardening role changes the password from x to * and I guess, after a reboot something changes it back to x. But i don't know what triggers the change. Maybe the program that's running the irc-server/client?

@rndmh3ro
Copy link
Member

Hey, @fitz123, if you still have an issue, I'll reopen this!

@fitz123
Copy link
Contributor Author

fitz123 commented Dec 20, 2015

after every reboot task change system accounts not on the user provided ignore-list for irc user is changed.
I run os-hardening, reboot, then run it again - have irc changed. Have no idea why.
Probably it's something wrong with irc ubuntu default user, or need to look closer on ansible user module?

p.s. it doesn't change "the password from x to *"
passwd after hardening applied: irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
passwd after reboot: irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin

@rndmh3ro rndmh3ro reopened this Dec 20, 2015
@rndmh3ro
Copy link
Member

Okay, I can reproduce this.
Installing irssi creates a "irc" user.
This gets changed by our ansible-playbook, but not on consequent turns without a reboot.
However when rebooting between runs, it shows as changed.
This even happens when you do nothing with the user at all:

- name: change system accounts not on the user provided ignore-list
  user: name='irc'

If you run the ansible-playbook on the host like this:

ANSIBLE_KEEP_REMOTE_FILES=1 ansible-playbook -i hosts default.yml --diff --tags=user_accounts -vvvvv

it keeps the temporary created files.

Now when I diff the python script that changes the user irc with the script that changes e.g. user libuuid, the only difference is the name changed:

root@default-ubuntu-1204:~/kitchen# diff /root/.ansible/tmp/ansible-tmp-1450641841.83-50238696111861/user /root/.ansible/tmp/ansible-tmp-1450641841.71-135014314805713/user
2162c2162
< MODULE_ARGS = "name='libuuid'"
---
> MODULE_ARGS = "name='irc'"

Long story short: I don't know what's going on. I'll investigate further.

@fitz123
Copy link
Contributor Author

fitz123 commented Dec 21, 2015

Everything right, except I doesn't install 'irssi'. User 'irc' exists by default in the 'ubuntu-14.04.3-server' official distributive, at least it existed few months ago when I downloaded it last time

@rndmh3ro
Copy link
Member

Problem does not appear on Centos 6.5. I'm going to ask on the mailinglist.

@rndmh3ro
Copy link
Member

rndmh3ro commented Jan 29, 2016
edited

ansible/ansible-modules-core#2943

@rndmh3ro
Copy link
Member

@fitz123, I guess that's not really an issue with the hardening role. Do you still want to keep this issue open?

@fitz123
Copy link
Contributor Author

fitz123 commented May 19, 2016
edited

I'm not sure does it really affect something? It's possibly that irc user is actually changed in some way during startup and it's possibly that this task changes it back, breaking service functionality.
so it's all just my thoughts though, but what do you think about excluding this user? What by your opinion better to do here: just ignore it or exclude/whitelist this user?

@rndmh3ro
Copy link
Member

Sorry for not answering, @fitz123, I missed that post!
If you did not solve your problem yet, I'd definetly put this user on the ignore-list in your role! Good thing, we already have that feature.

@fitz123
Copy link
Contributor Author

fitz123 commented Aug 15, 2016

Ok, 2 options then. It works for me

@fitz123 fitz123 closed this as completed Aug 15, 2016
rndmh3ro added a commit that referenced this issue Nov 8, 2020
@rndmh3ro
Merge pull request #53 from dev-sec/update_docs
e54061b 
update readme to new layout for vars
divialth pushed a commit to divialth/ansible-collection-hardening that referenced this issue Aug 3, 2022
@rndmh3ro
Merge pull request dev-sec#53 from dev-sec/update_docs
3d11b46 
update readme to new layout for vars
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rndmh3ro @fitz123