I was just about to do some work on the student life web account, and I had to sudo into it:

[jerry@files ~]$ cd /var/www/html/studentlife/
-bash: cd: /var/www/html/studentlife/: Permission denied
[jerry@files ~]$ sudo -u studentlife -s
[sudo] password for jerry:
[randomstudent@files ~]$

Wait, what? How could I sudo to “studentlife” and end up as “randomstudent”? I did a check in LDAP, and sure enough, the studentlife web account and randomstudent (yes, name redacted, it wasn’t their fault) share the same uidNumber. For those of you who aren’t familiar with Unix account systems, the uidNumber determines what the account has access to; two accounts with the same uidNumber are for all practical purposes one account. They can each do whatever they want to the other account: view its files, modify its files, run its software, etc.

I created a high priority security ticket, then realized I’d better see if any other conflicts exist.

One thousand, five hundred, fifty-five shared uidNumbers.

This went beyond a minor glitch in account creation. I went to talk to the guy in charge of identity management.

“Yes, we know, we’re waiting to move to the new system.”

The old system they’re waiting to move from is the same system I’ve been complaining about that silently truncates passwords.¹ No wonder they don’t care that our students’ passwords are easily guessed. Some of them don’t even need passwords to hack someone else’s account. Four of them potentially have access to accounts on the main web server, and at least one has access to an IT developer’s account.