Commit 198f4dd4 authored by Michael Catanzaro's avatar Michael Catanzaro

Remove user heuristics

We don't want this code running except on Red Hat systems, where we can
maintain it in a downstream patch if need be.

The heuristic has been wrong before (e.g. as in #57) and is not useful
on upstream systems where 1000 is the presumed minimum uid for human
users.
parent 435624d5
...@@ -187,7 +187,6 @@ extra_admin_groups = ','.join(get_option('extra_admin_groups')) ...@@ -187,7 +187,6 @@ extra_admin_groups = ','.join(get_option('extra_admin_groups'))
config_h.set_quoted('ADMIN_GROUP', admin_group) config_h.set_quoted('ADMIN_GROUP', admin_group)
config_h.set_quoted('EXTRA_ADMIN_GROUPS', extra_admin_groups) config_h.set_quoted('EXTRA_ADMIN_GROUPS', extra_admin_groups)
config_h.set('ENABLE_USER_HEURISTICS', get_option('user_heuristics'))
config_h.set('MINIMUM_UID', get_option('minimum_uid')) config_h.set('MINIMUM_UID', get_option('minimum_uid'))
# GDM # GDM
......
...@@ -2,7 +2,6 @@ option('systemdsystemunitdir', type: 'string', value: '', description: 'custom d ...@@ -2,7 +2,6 @@ option('systemdsystemunitdir', type: 'string', value: '', description: 'custom d
option('gdmconffile', type: 'string', value: '/etc/gdm/custom.conf', description: 'GDM configuration file') option('gdmconffile', type: 'string', value: '/etc/gdm/custom.conf', description: 'GDM configuration file')
option('admin_group', type: 'string', value: '', description: 'Set group for administrative accounts') option('admin_group', type: 'string', value: '', description: 'Set group for administrative accounts')
option('user_heuristics', type: 'boolean', value: true, description: 'Enable heuristics for guessing system vs. human users in the range 500-minimum-uid')
option('extra_admin_groups', type: 'array', value: [], description: 'Comma-separated list of extra groups that administrator users are part of') option('extra_admin_groups', type: 'array', value: [], description: 'Comma-separated list of extra groups that administrator users are part of')
option('minimum_uid', type: 'integer', value: 1000, description: 'Set minimum uid for human users') option('minimum_uid', type: 'integer', value: 1000, description: 'Set minimum uid for human users')
......
...@@ -76,39 +76,6 @@ user_classify_is_blacklisted (const char *username) ...@@ -76,39 +76,6 @@ user_classify_is_blacklisted (const char *username)
return FALSE; return FALSE;
} }
#ifdef ENABLE_USER_HEURISTICS
static gboolean
user_classify_is_excluded_by_heuristics (const gchar *username,
const gchar *password_hash)
{
gboolean ret = FALSE;
if (password_hash != NULL) {
/* skip over the account-is-locked '!' prefix if present */
if (password_hash[0] == '!')
password_hash++;
if (password_hash[0] != '\0') {
/* modern hashes start with "$n$" */
if (password_hash[0] == '$') {
if (strlen (password_hash) < 4)
ret = TRUE;
/* DES crypt is base64 encoded [./A-Za-z0-9]*
*/
} else if (!g_ascii_isalnum (password_hash[0]) &&
password_hash[0] != '.' &&
password_hash[0] != '/') {
ret = TRUE;
}
}
}
return ret;
}
#endif /* ENABLE_USER_HEURISTICS */
static gboolean static gboolean
is_invalid_shell (const char *shell) is_invalid_shell (const char *shell)
{ {
...@@ -156,13 +123,5 @@ user_classify_is_human (uid_t uid, ...@@ -156,13 +123,5 @@ user_classify_is_human (uid_t uid,
if (shell != NULL && is_invalid_shell (shell)) if (shell != NULL && is_invalid_shell (shell))
return FALSE; return FALSE;
#ifdef ENABLE_USER_HEURISTICS
/* only do heuristics on the range 500-1000 to catch one off migration problems in Fedora */
if (uid >= 500 && uid < MINIMUM_UID) {
if (!user_classify_is_excluded_by_heuristics (username, password_hash))
return TRUE;
}
#endif
return uid >= MINIMUM_UID; return uid >= MINIMUM_UID;
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment