Bug 21624 - Users nobody (and sometimes root) is displayed in KDM connection screen
Summary: Users nobody (and sometimes root) is displayed in KDM connection screen
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard: MGA5-32-OK MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-08-28 07:39 CEST by papoteur
Modified: 2019-04-04 13:12 CEST (History)
12 users (show)

See Also:
Source RPM: mageia-kde4-config-5-0.20150505.3.mga5, mageia-kde4-config-5-0.20150505.3.mga5
CVE:
Status comment:


Attachments

Description papoteur 2017-08-28 07:39:29 CEST
Since an update, user "nobody" is displayed in KDM connection screen.
Comment 1 David Walser 2017-08-28 11:03:08 CEST
This is likely due to a patch meant to show users with UIDs between 500 and 1000 despite 1000 being set as the minimum UID.

Summary: User nobody is displayed in KDM connection screen => Users nobody (and sometimes root) is displayed in KDM connection screen
Assignee: bugsquad => kde
Source RPM: kdm => kdebase4-workspace-4.11.22-1.mga5.src.rpm

Comment 2 Jin-tong Hu 2017-08-29 14:19:30 CEST
The same here. And I notice that nobody is a group name w/ group id 998, but no nobody user name exists. (From Mageia Control Center -> System -> Manage users on system)

CC: (none) => piscestong

Comment 3 Piotr Pikuta 2017-08-30 21:02:57 CEST
I confirm this bug in mga5, most probably due to MGAA-2017-0066.

I noticed that not only the user 'nobody' but also all users which are hidden are shown in the login screen. It looks like kdmrc setting
    ShowUsers=NotHidden
is not taken into account while displaying the login screen.
If you change ShowUsers to 
    ShowUsers=Selected
and add
    SelectedUsers=your-user-name-here
the login screen displays only 'your-user-name-here'.

It's worth mentiong that the bug appears only if msec security level is standard, if it's set to secure, everything is OK.

CC: (none) => piotr.pikuta

Piotr Pikuta 2017-08-30 21:24:51 CEST

CC: piotr.pikuta => (none)

Comment 4 Tony Blackwell 2017-09-19 23:00:06 CEST
Its confusing my users and just generally very untidy.  Love to see a fix

CC: (none) => tablackwell

Comment 5 Marja Van Waes 2017-09-20 09:14:32 CEST
(In reply to Piotr Pikuta from comment #3)
> I confirm this bug in mga5, most probably due to MGAA-2017-0066.

In bug #17123, comment #49 about that update, doktor5000 asked for a workaround. 
CC'ing him in case he didn't see yours.
> 
> I noticed that not only the user 'nobody' but also all users which are
> hidden are shown in the login screen. It looks like kdmrc setting
>     ShowUsers=NotHidden
> is not taken into account while displaying the login screen.
> If you change ShowUsers to 
>     ShowUsers=Selected
> and add
>     SelectedUsers=your-user-name-here
> the login screen displays only 'your-user-name-here'.

Thanks for that, Piotr :-)
That is this kdmrc :
/var/lib/mageia/kde4-profiles/Default/share/config/kdm/kdmrc that comes from mageia-kde4-config, right? 
Asking because /usr/share/config/kdm/kdmrc, belonging to no package, existed in Mageia or maybe still exists, see bug #4097
 
> 
> It's worth mentiong that the bug appears only if msec security level is
> standard, if it's set to secure, everything is OK.

Source RPM: kdebase4-workspace-4.11.22-1.mga5.src.rpm => mageia-kde4-config-5-0.20150505.3.mga5, mageia-kde4-config-5-0.20150505.3.mga5
CC: (none) => doktor5000, marja11

Comment 6 Mike Rambo 2017-09-22 18:18:16 CEST
For those interested/willing... when I downgraded from kdm-4.11.22-1.mga5 to the original kdm-4.11.16-5.mga5 this problem went away. The latter is still on the mirrors in core/release. You'll have to add kdm to the skip.list to keep it from updating again though.

There was a change in revision 1066318 to kdebase4-workspace that might be behind this though I can't sort out why. That change looks like it sets an upper uid limit - perhaps one with intended consequences. Since kdm is apparently derived from kdebase4-workspace it would appear that it instead of mageia-kde4-config is behind this problem.

CC: (none) => mrambo

Comment 7 John L. ten Wolde 2017-09-26 23:40:07 CEST
Just ran across this report and I've nothing much to add except to say that since the KDE4 base upgrade (2017-08-24) to fix Bug 17123 I've been seeing "nobody" at the login screen as well.

Thanks to Piotr (Comment #3) for his workaround.  I'm not on the machine in question right now, but will implement it at first opportunity.

CC: (none) => johnltw

Comment 8 John L. ten Wolde 2017-10-01 22:52:50 CEST
(In reply to Piotr Pikuta from comment #3)
> If you change ShowUsers to 
>     ShowUsers=Selected
> and add
>     SelectedUsers=your-user-name-here
> the login screen displays only 'your-user-name-here'.
Hi Piotr.  I tried your workaround, but unfortunately the change to ShowUsers doesn't stick.  Either at boot (or shutdown?) the line in kdmrc gets rewritten from "ShowUsers=Selected" back to "ShowUsers=Hidden".  :-(
Comment 9 Piotr Pikuta 2017-10-02 22:09:35 CEST
(In reply to John ten Wolde from comment #8)
> Hi Piotr.  I tried your workaround, but unfortunately the change to
> ShowUsers doesn't stick.  Either at boot (or shutdown?) the line in kdmrc
> gets rewritten from "ShowUsers=Selected" back to "ShowUsers=Hidden".  :-(

This is msec that changes "ShowUsers=Selected" back to "ShowUsers=Hidden". You need to add the following line
    ALLOW_USER_LIST=no
at the beginning of the file
    /etc/security/msec/security.conf
Then run msec or wait one hour.

See also https://forums.mageia.org/en/viewtopic.php?f=7&t=11952 where I posted the detailed version of the workaround.

The "ShowUsers=Hidden" is a default option if msec security level is standard. Otherwise (if it's set to secure) "ShowUsers=Selected" is the default. Adding "ALLOW_USER_LIST=no" makes "ShowUsers=Selected" the default option.
Comment 10 John L. ten Wolde 2017-10-02 23:50:08 CEST
(In reply to Piotr Pikuta from comment #9)
> This is msec that changes "ShowUsers=Selected" back to "ShowUsers=Hidden".
> You need to add the following line...
Ah. Excellent.  I hadn't read that forum thread.  Now I'll be sure to beat "nobody" into permanent submission when I'm next using that machine.  Thanks for the assist.
Comment 11 David Walser 2018-01-01 00:20:28 CET
Please make sure that legitimate users between UID 500 and 1000 still are shown and that system users are not shown.

Advisory:
----------------------------------------

The previous update to the kdebase4-workspace package contained an error that
caused the "root" and "nobody" users to be shown in KDM's user list.  This
error has been corrected.

----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
kdebase4-workspace-4.11.22-2.mga5
kdebase4-workspace-handbooks-4.11.22-2.mga5
kdebase4-workspace-plasma-config-4.11.22-2.mga5
plasma-scriptengine-ruby-4.11.22-2.mga5
plasma-scriptengine-python-4.11.22-2.mga5
kde4-style-oxygen-4.11.22-2.mga5
liboxygenstyle4-4.11.22-2.mga5
liboxygenstyleconfig4-4.11.22-2.mga5
libweather_ion6-4.11.22-2.mga5
libkdecorations4-4.11.22-2.mga5
libkscreensaver5-4.11.22-2.mga5
libksgrd4-4.11.22-2.mga5
libkwineffects1-4.11.22-2.mga5
libkwinglesutils1-4.11.22-2.mga5
libkworkspace4-4.11.22-2.mga5
libplasmaclock4-4.11.22-2.mga5
libprocesscore4-4.11.22-2.mga5
libprocessui4-4.11.22-2.mga5
libkhotkeysprivate4-4.11.22-2.mga5
libkfontinst4-4.11.22-2.mga5
libkfontinstui4-4.11.22-2.mga5
libtaskmanager4-4.11.22-2.mga5
liblsofui4-4.11.22-2.mga5
libkephal4-4.11.22-2.mga5
libksignalplotter4-4.11.22-2.mga5
libpowerdevilcore0-4.11.22-2.mga5
libpowerdevilconfigcommonprivate4-4.11.22-2.mga5
libpowerdevilui4-4.11.22-2.mga5
libsystemsettingsview2-4.11.22-2.mga5
libplasma-geolocation-interface4-4.11.22-2.mga5
libplasma_applet_system_monitor4-4.11.22-2.mga5
libplasmagenericshell4-4.11.22-2.mga5
libkwinglutils1-4.11.22-2.mga5
plasma-applet-calendar-4.11.22-2.mga5
plasma-krunner-powerdevil-4.11.22-2.mga5
plasma-runner-places-4.11.22-2.mga5
plasma-applet-quicklaunch-4.11.22-2.mga5
plasma-applet-battery-4.11.22-2.mga5
plasma-applet-webbrowser-4.11.22-2.mga5
plasma-applet-system-monitor-temperature-4.11.22-2.mga5
plasma-applet-system-monitor-net-4.11.22-2.mga5
plasma-applet-system-monitor-hwinfo-4.11.22-2.mga5
plasma-applet-system-monitor-hdd-4.11.22-2.mga5
plasma-applet-system-monitor-cpu-4.11.22-2.mga5
kdm-4.11.22-2.mga5
kdm-handbook-4.11.22-2.mga5
kinfocenter-4.11.22-2.mga5
kinfocenter-handbook-4.11.22-2.mga5
krandr-4.11.22-2.mga5
kdebase4-workspace-devel-4.11.22-2.mga5

from kdebase4-workspace-4.11.22-2.mga5.src.rpm

Assignee: kde => qa-bugs
CC: (none) => kde, luigiwalser

Dave Hodgins 2018-01-01 09:07:47 CET

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 12 Dave Hodgins 2018-01-01 09:38:04 CET
Tested under vb and on real hardware. Validating the update.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 13 Mageia Robot 2018-01-01 11:39:41 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGAA-2018-0002.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 14 kalagani kalagani 2018-01-01 19:22:51 CET
Hello,
with the last MGA5 update with
- fix patch 417 to not show root and nobody in users list
in kdebase4-workspace package
on my PC, the nobody account do not appear, only registered users!
So, good news, and best wishes for the New Year!

CC: (none) => kalagani

ankit saini 2019-04-04 08:54:08 CEST

CC: (none) => ankesaini99


Note You need to log in before you can comment on or make changes to this bug.