Bug 25677

Summary: MSEC not understanding LDAP users
Product: Mageia Reporter: Dag Nygren <dag>
Component: RPM PackagesAssignee: All Packagers <pkg-bugs>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal CC: thierry.vignaud
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: msec-2.7-1.mga7.src.rpm CVE:
Status comment:

Description Dag Nygren 2019-11-10 12:44:12 CET 
Description of problem:
A MSEC check will falsely report files owned by an LDAP user with: "these files shouldn't be owned by someone else or readable"

Version-Release number of selected component (if applicable):
Fully updated Mageia 7

How reproducible:
Consistant

Steps to Reproduce:
1. Connect your Mageia to LDAP
2. Run msec
3. Look at the report

Extract from report:

Security Warning: these files shouldn't be owned by someone else or readable :
- /home/dag/.Xauthority : file is owned by uid 2001.

"getent passwd | grep dag" returns with:

dag:*:2001:2001:Dag Nygren:/home/dag:/bin/bash
Comment 1 Lewis Smith 2019-11-10 21:23:14 CET 
Thank you for reporting this.
Which seems to be that msec is complaining incorrectly: the UID *is* that of the file owner. If I understand it right.

Msec has no registered maintainer, so assigning this globally. CC tv as a past committer.

Assignee: bugsquad => pkg-bugs
CC: (none) => thierry.vignaud
Source RPM: msec-2.7-1.mga7 => msec-2.7-1.mga7.src.rpm

Comment 2 Dag Nygren 2020-09-20 17:19:35 CEST 
Just traced this as it started to annoy me and found that the real problem was that we ha an unorthodox method of aliasing a username by entering two entries with different names, but the same home directory. Obviously the files could only be owned by one of these and msec reacted to the other user.

So I think we can close this report.

Resolution: (none) => INVALID
Status: NEW => RESOLVED