[Bug 785051] Re: groupsfile is ignored when any entry has id < 500
Sergio Costas
785051 at bugs.launchpad.net
Thu Jan 18 15:49:41 UTC 2024
There is patched .deb in the Core Desktop PPA:
https://launchpad.net/~desktop-snappers/+archive/ubuntu/core-desktop
(version 0.6-4.1+ucd1).
** Description changed:
+ [Impact]
Binary package hint: libnss-extrausers
If any /var/lib/extrausers/group entry has a gid < 500 then all entries
- from this file are ignored. libnss-extrausers-0.4 is affected as well.
+ from this file are ignored. libnss-extrausers-0.4 and libnss-
+ extrausers-0.6-4 are affected as well. This bug also affects Ubuntu Core
+ Desktop in an important way, because it heavily depends on extrausers,
+ so currently it has to use a patched .deb file to fix this. This is one
+ of the reasons to ask for a SRU for this bug.
The following file works fine, the entries appear in 'getent group'
output.
extra0:x:500
extra1:x:501
This file however is not read properly, the entries are missing in
output.
extra0:x:499
extra1:x:501
- The system in question is Ubuntu 10.04, libc6 version is 2.13-0ubuntu13
+ The system in question for the original report was Ubuntu 10.04, libc6
+ version is 2.13-0ubuntu13, but it also happens in Jammy.
+
+ [Test plan]
+
+ * install the libnss-extrausers package
+ * edit the /etc/nsswitch.conf file, and modify the "group:" entry to include into it "compat extrausers". For example, it the entry didn't exist, it should be added as:
+
+ group: compat extrausers
+
+ ; instead, if it already existed as, for example, "group: files
+ systemd", then add that at the end, thus:
+
+ group: files systemd compat extrausers
+
+ * edit the /var/lib/extrausers/group file and add this entry:
+
+ test1:x:1008:
+
+ (previously ensuring that there is neither group test1, nor gid 1008 in
+ the /etc/group file)
+
+ * exit the editor and type
+
+ getent group |grep test
+
+ it should show the previous entry.
+
+ * edit again the /var/lib/extrausers/group file and add this entry along
+ with the previous one:
+
+ test2:x:496:
+
+ (again, ensure that there is neither group test2, nor gid 496 in the
+ /etc/group file)
+
+ * exit the editor and type again:
+
+ getent group |grep test
+
+ [Expected results]
+
+ Both "test1:x:1008:" and "test2:x:496:" entries should be shown.
+ Instead, if the package is buggy, no entry will be shown.
+
+ [Where problems could occur]
+
+ An incorrect set of access permissions for the /var/lib/extrausers/group
+ file could allow to add new groups with privileged GIDs, which could
+ result in allowing access to files/folders/devices that a user should
+ not have access to.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libnss-extrausers in Ubuntu.
https://bugs.launchpad.net/bugs/785051
Title:
groupsfile is ignored when any entry has id < 500
Status in libnss-extrausers package in Ubuntu:
Confirmed
Status in libnss-extrausers package in Debian:
New
Bug description:
[Impact]
Binary package hint: libnss-extrausers
If any /var/lib/extrausers/group entry has a gid < 500 then all
entries from this file are ignored. libnss-extrausers-0.4 and libnss-
extrausers-0.6-4 are affected as well. This bug also affects Ubuntu
Core Desktop in an important way, because it heavily depends on
extrausers, so currently it has to use a patched .deb file to fix
this. This is one of the reasons to ask for a SRU for this bug.
The following file works fine, the entries appear in 'getent group'
output.
extra0:x:500
extra1:x:501
This file however is not read properly, the entries are missing in
output.
extra0:x:499
extra1:x:501
The system in question for the original report was Ubuntu 10.04, libc6
version is 2.13-0ubuntu13, but it also happens in Jammy.
[Test plan]
* install the libnss-extrausers package
* edit the /etc/nsswitch.conf file, and modify the "group:" entry to include into it "compat extrausers". For example, it the entry didn't exist, it should be added as:
group: compat extrausers
; instead, if it already existed as, for example, "group: files
systemd", then add that at the end, thus:
group: files systemd compat extrausers
* edit the /var/lib/extrausers/group file and add this entry:
test1:x:1008:
(previously ensuring that there is neither group test1, nor gid 1008
in the /etc/group file)
* exit the editor and type
getent group |grep test
it should show the previous entry.
* edit again the /var/lib/extrausers/group file and add this entry
along with the previous one:
test2:x:496:
(again, ensure that there is neither group test2, nor gid 496 in the
/etc/group file)
* exit the editor and type again:
getent group |grep test
[Expected results]
Both "test1:x:1008:" and "test2:x:496:" entries should be shown.
Instead, if the package is buggy, no entry will be shown.
[Where problems could occur]
An incorrect set of access permissions for the
/var/lib/extrausers/group file could allow to add new groups with
privileged GIDs, which could result in allowing access to
files/folders/devices that a user should not have access to.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnss-extrausers/+bug/785051/+subscriptions
More information about the foundations-bugs
mailing list