Skip to content

Table users on linux by default to return only users in /etc/passwd #8342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zwass merged 4 commits into from
Jun 27, 2024
Merged

Table users on linux by default to return only users in /etc/passwd #8342

zwass merged 4 commits into from
Jun 27, 2024

Conversation

@lucasmrod
Copy link
Contributor

@lucasmrod lucasmrod commented May 31, 2024
edited
Loading

#8337

For manual testing I used this guide to setup a local OpenLDAP directory server and a Ubuntu VM that uses such server for authentication.

The Ubuntu VM has 51 local users and 2 "remote" users (joe,uid:1005 and julie,uid:1006) in an LDAP directory.

SELECT uid,username FROM users; // returns 51 local users as expected
+-------+---------------------+
| uid   | username            |
+-------+---------------------+
| 0     | root                |
| 1     | daemon              |
| 2     | bin                 |
| 3     | sys                 |
| 4     | sync                |
| 5     | games               |
| 6     | man                 |
| 7     | lp                  |
| 8     | mail                |
| 9     | news                |
| 10    | uucp                |
| 13    | proxy               |
| 33    | www-data            |
| 34    | backup              |
| 38    | list                |
| 39    | irc                 |
| 41    | gnats               |
| 65534 | nobody              |
| 100   | systemd-network     |
| 101   | systemd-resolve     |
| 102   | messagebus          |
| 103   | systemd-timesync    |
| 104   | syslog              |
| 105   | _apt                |
| 106   | tss                 |
| 107   | uuidd               |
| 108   | systemd-oom         |
| 109   | tcpdump             |
| 110   | avahi-autoipd       |
| 111   | usbmux              |
| 112   | dnsmasq             |
| 113   | kernoops            |
| 114   | avahi               |
| 115   | cups-pk-helper      |
| 116   | rtkit               |
| 117   | whoopsie            |
| 118   | sssd                |
| 119   | speech-dispatcher   |
| 120   | fwupd-refresh       |
| 121   | nm-openvpn          |
| 122   | saned               |
| 123   | colord              |
| 124   | geoclue             |
| 125   | pulse               |
| 126   | gnome-initial-setup |
| 127   | hplip               |
| 128   | gdm                 |
| 1000  | luk                 |
| 1002  | citrixlog           |
| 129   | openldap            |
| 1003  | zoo                 |
+-------+---------------------+

SELECT uid,username FROM users WHERE include_remote=1; // returns 53 users as expected
+-------+---------------------+
| uid   | username            |
+-------+---------------------+
| 0     | root                |
| 1     | daemon              |
| 2     | bin                 |
| 3     | sys                 |
| 4     | sync                |
| 5     | games               |
| 6     | man                 |
| 7     | lp                  |
| 8     | mail                |
| 9     | news                |
| 10    | uucp                |
| 13    | proxy               |
| 33    | www-data            |
| 34    | backup              |
| 38    | list                |
| 39    | irc                 |
| 41    | gnats               |
| 65534 | nobody              |
| 100   | systemd-network     |
| 101   | systemd-resolve     |
| 102   | messagebus          |
| 103   | systemd-timesync    |
| 104   | syslog              |
| 105   | _apt                |
| 106   | tss                 |
| 107   | uuidd               |
| 108   | systemd-oom         |
| 109   | tcpdump             |
| 110   | avahi-autoipd       |
| 111   | usbmux              |
| 112   | dnsmasq             |
| 113   | kernoops            |
| 114   | avahi               |
| 115   | cups-pk-helper      |
| 116   | rtkit               |
| 117   | whoopsie            |
| 118   | sssd                |
| 119   | speech-dispatcher   |
| 120   | fwupd-refresh       |
| 121   | nm-openvpn          |
| 122   | saned               |
| 123   | colord              |
| 124   | geoclue             |
| 125   | pulse               |
| 126   | gnome-initial-setup |
| 127   | hplip               |
| 128   | gdm                 |
| 1000  | luk                 |
| 1002  | citrixlog           |
| 129   | openldap            |
| 1003  | zoo                 |
| 1005  | joe                 |
| 1006  | julie               |
+-------+---------------------+

SELECT * FROM users where uid = 1000; // returns a local user luk as expected
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
| uid  | gid  | uid_signed | gid_signed | username | description | directory | shell     | uuid |
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
| 1000 | 1000 | 1000       | 1000       | luk      | Lucas,,,    | /home/luk | /bin/bash |      |
+------+------+------------+------------+----------+-------------+-----------+-----------+------+

SELECT * FROM users where username = 'luk'; // returns a local user luk as expected
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
| uid  | gid  | uid_signed | gid_signed | username | description | directory | shell     | uuid |
+------+------+------------+------------+----------+-------------+-----------+-----------+------+
| 1000 | 1000 | 1000       | 1000       | luk      | Lucas,,,    | /home/luk | /bin/bash |      |
+------+------+------------+------------+----------+-------------+-----------+-----------+------+

SELECT * FROM users where username = 'luk' OR uid < 10; // returns a local user luk + other local users as expected
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
| uid  | gid   | uid_signed | gid_signed | username | description | directory       | shell             | uuid |
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
| 1000 | 1000  | 1000       | 1000       | luk      | Lucas,,,    | /home/luk       | /bin/bash         |      |
| 0    | 0     | 0          | 0          | root     | root        | /root           | /bin/bash         |      |
| 1    | 1     | 1          | 1          | daemon   | daemon      | /usr/sbin       | /usr/sbin/nologin |      |
| 2    | 2     | 2          | 2          | bin      | bin         | /bin            | /usr/sbin/nologin |      |
| 3    | 3     | 3          | 3          | sys      | sys         | /dev            | /usr/sbin/nologin |      |
| 4    | 65534 | 4          | 65534      | sync     | sync        | /bin            | /bin/sync         |      |
| 5    | 60    | 5          | 60         | games    | games       | /usr/games      | /usr/sbin/nologin |      |
| 6    | 12    | 6          | 12         | man      | man         | /var/cache/man  | /usr/sbin/nologin |      |
| 7    | 7     | 7          | 7          | lp       | lp          | /var/spool/lpd  | /usr/sbin/nologin |      |
| 8    | 8     | 8          | 8          | mail     | mail        | /var/mail       | /usr/sbin/nologin |      |
| 9    | 9     | 9          | 9          | news     | news        | /var/spool/news | /usr/sbin/nologin |      |
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+

SELECT * FROM users where (username = 'luk' OR uid < 10) AND include_remote=1; // returns a local user luk + other local users as expected
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
| uid  | gid   | uid_signed | gid_signed | username | description | directory       | shell             | uuid |
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+
| 0    | 0     | 0          | 0          | root     | root        | /root           | /bin/bash         |      |
| 1    | 1     | 1          | 1          | daemon   | daemon      | /usr/sbin       | /usr/sbin/nologin |      |
| 2    | 2     | 2          | 2          | bin      | bin         | /bin            | /usr/sbin/nologin |      |
| 3    | 3     | 3          | 3          | sys      | sys         | /dev            | /usr/sbin/nologin |      |
| 4    | 65534 | 4          | 65534      | sync     | sync        | /bin            | /bin/sync         |      |
| 5    | 60    | 5          | 60         | games    | games       | /usr/games      | /usr/sbin/nologin |      |
| 6    | 12    | 6          | 12         | man      | man         | /var/cache/man  | /usr/sbin/nologin |      |
| 7    | 7     | 7          | 7          | lp       | lp          | /var/spool/lpd  | /usr/sbin/nologin |      |
| 8    | 8     | 8          | 8          | mail     | mail        | /var/mail       | /usr/sbin/nologin |      |
| 9    | 9     | 9          | 9          | news     | news        | /var/spool/news | /usr/sbin/nologin |      |
| 1000 | 1000  | 1000       | 1000       | luk      | Lucas,,,    | /home/luk       | /bin/bash         |      |
+------+-------+------------+------------+----------+-------------+-----------------+-------------------+------+

SELECT * FROM users where (username = 'julie' OR uid = 1005) AND include_remote=1; // returns the two remote users as expected
+------+-----+------------+------------+----------+-------------+-------------+---------+------+
| uid  | gid | uid_signed | gid_signed | username | description | directory   | shell   | uuid |
+------+-----+------------+------------+----------+-------------+-------------+---------+------+
| 1005 | 600 | 1005       | 600        | joe      | joe         | /home/joe   | /bin/sh |      |
| 1006 | 600 | 1006       | 600        | julie    | julie       | /home/julie | /bin/sh |      |
+------+-----+------------+------------+----------+-------------+-------------+---------+------+

SELECT * FROM users where (username = 'julie' OR uid = 1005); // returns empty as expected

@lucasmrod lucasmrod requested review from a team as code owners May 31, 2024 19:52
zwass
zwass reviewed Jun 3, 2024
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC we had decided to add a flag-like column to the users table so that LDAP users could still be retrieved after this change? Was that incorrect? I have some concern about removing the ability to do that entirely.

@lucasmrod
Copy link
Contributor Author

lucasmrod commented Jun 3, 2024

IIRC we had decided to add a flag-like column to the users table so that LDAP users could still be retrieved after this change? Was that incorrect? I have some concern about removing the ability to do that entirely.

Makes sense! I missed the part that we wanted the new flag for LDAP users from the get-go.

@lucasmrod lucasmrod force-pushed the 8337-users-table-only-local-users-on-linux branch from 478e246 to 8fcbd56 Compare June 6, 2024 20:57
@lucasmrod
Copy link
Contributor Author

lucasmrod commented Jun 6, 2024

IIRC we had decided to add a flag-like column to the users table so that LDAP users could still be retrieved after this change? Was that incorrect? I have some concern about removing the ability to do that entirely.

@zwass I've added include_remote flag that if set to 1 just uses the existing code (which returns local + remote).
And if the flag is not set then it just parses /etc/passwd.

@lucasmrod lucasmrod requested a review from zwass June 6, 2024 20:59
@lucasmrod lucasmrod changed the title Table users on linux to return only users in /etc/passwd Table users on linux by default to return only users in /etc/passwd Jun 10, 2024
@directionless directionless added this to the 5.13 milestone Jun 18, 2024
directionless
directionless previously approved these changes Jun 20, 2024
View reviewed changes
@lucasmrod lucasmrod requested a review from directionless June 26, 2024 21:53
zwass
zwass approved these changes Jun 27, 2024
View reviewed changes
Copy link
Member

@zwass zwass left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thank you for including the manual test plan in the PR description!

@zwass zwass merged commit a56ce1e into osquery:master Jun 27, 2024
@lucasmrod lucasmrod mentioned this pull request Aug 20, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zwass zwass zwass approved these changes

@directionless directionless Awaiting requested review from directionless

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

5.13

Development

Successfully merging this pull request may close these issues.

3 participants

@lucasmrod @directionless @zwass