daemon: Define local users as being exactly those present in /etc/shadow (!119) · Merge requests · accountsservice / accountsservice · GitLab

Simon McVittie requested to merge smcv/accountsservice-branches:local-users-from-shadow into main Feb 05, 2023

daemon: Clarify use of generator_state->users
daemon: Define local users as being exactly those present in /etc/shadow

According to https://bugs.freedesktop.org/show_bug.cgi?id=48177 and !116 (closed), the intention is that merely existing in /etc/passwd is not enough to consider an account to be local; it must also be listed in /etc/shadow. This was done to provide graceful handling of systems where the complete list of LDAP/NIS/etc. users is written into /etc/passwd by rsync or similar instead of using a NSS plugin (but authentication still uses a PAM plugin). However, this unintentionally regressed in 34bedecf which continues reading after an account not in /etc/shadow is found.

entry_generator_fgetpwent() intentionally only outputs a maximum of 50 users, and only outputs users that are classified as likely to be human users' accounts, as opposed to system uids. However, when enumerating cached or explicitly requested users, we need to look them up in a complete list of local users. Otherwise, we can incorrectly classify local users as remote (if they are beyond the limit of 50 or have a username or shell that is more typically used for system users), which makes at least GNOME Settings display a misleading user interface for those users.

Resolves: #107 (closed)
Bug-Debian: https://bugs.debian.org/1030262

Alternative to !116 (closed).