From 198f4dd4498392c20169480bd069706bce4c69f3 Mon Sep 17 00:00:00 2001 From: Michael Catanzaro Date: Wed, 4 Mar 2020 16:22:47 -0600 Subject: Remove user heuristics We don't want this code running except on Red Hat systems, where we can maintain it in a downstream patch if need be. The heuristic has been wrong before (e.g. as in #57) and is not useful on upstream systems where 1000 is the presumed minimum uid for human users. --- meson.build | 1 - meson_options.txt | 1 - src/user-classify.c | 41 ----------------------------------------- 3 files changed, 43 deletions(-) diff --git a/meson.build b/meson.build index 3f4526a..aa87d0d 100644 --- a/meson.build +++ b/meson.build @@ -187,7 +187,6 @@ extra_admin_groups = ','.join(get_option('extra_admin_groups')) config_h.set_quoted('ADMIN_GROUP', admin_group) config_h.set_quoted('EXTRA_ADMIN_GROUPS', extra_admin_groups) -config_h.set('ENABLE_USER_HEURISTICS', get_option('user_heuristics')) config_h.set('MINIMUM_UID', get_option('minimum_uid')) # GDM diff --git a/meson_options.txt b/meson_options.txt index 7d088de..93f384a 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -2,7 +2,6 @@ option('systemdsystemunitdir', type: 'string', value: '', description: 'custom d option('gdmconffile', type: 'string', value: '/etc/gdm/custom.conf', description: 'GDM configuration file') option('admin_group', type: 'string', value: '', description: 'Set group for administrative accounts') -option('user_heuristics', type: 'boolean', value: true, description: 'Enable heuristics for guessing system vs. human users in the range 500-minimum-uid') option('extra_admin_groups', type: 'array', value: [], description: 'Comma-separated list of extra groups that administrator users are part of') option('minimum_uid', type: 'integer', value: 1000, description: 'Set minimum uid for human users') diff --git a/src/user-classify.c b/src/user-classify.c index 9db1c9a..91f29b4 100644 --- a/src/user-classify.c +++ b/src/user-classify.c @@ -76,39 +76,6 @@ user_classify_is_blacklisted (const char *username) return FALSE; } -#ifdef ENABLE_USER_HEURISTICS -static gboolean -user_classify_is_excluded_by_heuristics (const gchar *username, - const gchar *password_hash) -{ - gboolean ret = FALSE; - - if (password_hash != NULL) { - /* skip over the account-is-locked '!' prefix if present */ - if (password_hash[0] == '!') - password_hash++; - - if (password_hash[0] != '\0') { - /* modern hashes start with "$n$" */ - if (password_hash[0] == '$') { - if (strlen (password_hash) < 4) - ret = TRUE; - - /* DES crypt is base64 encoded [./A-Za-z0-9]* - */ - } else if (!g_ascii_isalnum (password_hash[0]) && - password_hash[0] != '.' && - password_hash[0] != '/') { - ret = TRUE; - } - } - - } - - return ret; -} -#endif /* ENABLE_USER_HEURISTICS */ - static gboolean is_invalid_shell (const char *shell) { @@ -156,13 +123,5 @@ user_classify_is_human (uid_t uid, if (shell != NULL && is_invalid_shell (shell)) return FALSE; -#ifdef ENABLE_USER_HEURISTICS - /* only do heuristics on the range 500-1000 to catch one off migration problems in Fedora */ - if (uid >= 500 && uid < MINIMUM_UID) { - if (!user_classify_is_excluded_by_heuristics (username, password_hash)) - return TRUE; - } -#endif - return uid >= MINIMUM_UID; } -- cgit v1.2.1