[Bug 785051] Re: groupsfile is ignored when any entry has id < 500

Sergio Costas 785051 at bugs.launchpad.net
Thu Jan 18 15:49:41 UTC 2024 

There is patched .deb in the Core Desktop PPA:
https://launchpad.net/~desktop-snappers/+archive/ubuntu/core-desktop
(version 0.6-4.1+ucd1).

** Description changed:

+ [Impact]
  Binary package hint: libnss-extrausers
  
  If any /var/lib/extrausers/group entry has a gid < 500 then all entries
- from this file are ignored. libnss-extrausers-0.4 is affected as well.
+ from this file are ignored. libnss-extrausers-0.4 and libnss-
+ extrausers-0.6-4 are affected as well. This bug also affects Ubuntu Core
+ Desktop in an important way, because it heavily depends on extrausers,
+ so currently it has to use a patched .deb file to fix this. This is one
+ of the reasons to ask for a SRU for this bug.
  
  The following file works fine, the entries appear in 'getent group'
  output.
  
  extra0:x:500
  extra1:x:501
  
  This file however is not read properly, the entries are missing in
  output.
  
  extra0:x:499
  extra1:x:501
  
- The system in question is Ubuntu 10.04, libc6 version is 2.13-0ubuntu13
+ The system in question for the original report was Ubuntu 10.04, libc6
+ version is 2.13-0ubuntu13, but it also happens in Jammy.
+ 
+ [Test plan]
+ 
+ * install the libnss-extrausers package
+ * edit the /etc/nsswitch.conf file, and modify the "group:" entry to include into it "compat extrausers". For example, it the entry didn't exist, it should be added as:
+ 
+     group: compat extrausers
+ 
+ ; instead, if it already existed as, for example, "group: files
+ systemd", then add that at the end, thus:
+ 
+     group: files systemd compat extrausers
+ 
+ * edit the /var/lib/extrausers/group file and add this entry:
+ 
+     test1:x:1008:
+ 
+ (previously ensuring that there is neither group test1, nor gid 1008 in
+ the /etc/group file)
+ 
+ * exit the editor and type
+ 
+     getent group |grep test
+ 
+ it should show the previous entry.
+ 
+ * edit again the /var/lib/extrausers/group file and add this entry along
+ with the previous one:
+ 
+     test2:x:496:
+ 
+ (again, ensure that there is neither group test2, nor gid 496 in the
+ /etc/group file)
+ 
+ * exit the editor and type again:
+ 
+     getent group |grep test
+ 
+ [Expected results]
+ 
+ Both "test1:x:1008:" and "test2:x:496:" entries should be shown.
+ Instead, if the package is buggy, no entry will be shown.
+ 
+ [Where problems could occur]
+ 
+ An incorrect set of access permissions for the /var/lib/extrausers/group
+ file could allow to add new groups with privileged GIDs, which could
+ result in allowing access to files/folders/devices that a user should
+ not have access to.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libnss-extrausers in Ubuntu.
https://bugs.launchpad.net/bugs/785051

Title:
  groupsfile is ignored when any entry has id < 500

Status in libnss-extrausers package in Ubuntu:
  Confirmed
Status in libnss-extrausers package in Debian:
  New

Bug description:
  [Impact]
  Binary package hint: libnss-extrausers

  If any /var/lib/extrausers/group entry has a gid < 500 then all
  entries from this file are ignored. libnss-extrausers-0.4 and libnss-
  extrausers-0.6-4 are affected as well. This bug also affects Ubuntu
  Core Desktop in an important way, because it heavily depends on
  extrausers, so currently it has to use a patched .deb file to fix
  this. This is one of the reasons to ask for a SRU for this bug.

  The following file works fine, the entries appear in 'getent group'
  output.

  extra0:x:500
  extra1:x:501

  This file however is not read properly, the entries are missing in
  output.

  extra0:x:499
  extra1:x:501

  The system in question for the original report was Ubuntu 10.04, libc6
  version is 2.13-0ubuntu13, but it also happens in Jammy.

  [Test plan]

  * install the libnss-extrausers package
  * edit the /etc/nsswitch.conf file, and modify the "group:" entry to include into it "compat extrausers". For example, it the entry didn't exist, it should be added as:

      group: compat extrausers

  ; instead, if it already existed as, for example, "group: files
  systemd", then add that at the end, thus:

      group: files systemd compat extrausers

  * edit the /var/lib/extrausers/group file and add this entry:

      test1:x:1008:

  (previously ensuring that there is neither group test1, nor gid 1008
  in the /etc/group file)

  * exit the editor and type

      getent group |grep test

  it should show the previous entry.

  * edit again the /var/lib/extrausers/group file and add this entry
  along with the previous one:

      test2:x:496:

  (again, ensure that there is neither group test2, nor gid 496 in the
  /etc/group file)

  * exit the editor and type again:

      getent group |grep test

  [Expected results]

  Both "test1:x:1008:" and "test2:x:496:" entries should be shown.
  Instead, if the package is buggy, no entry will be shown.

  [Where problems could occur]

  An incorrect set of access permissions for the
  /var/lib/extrausers/group file could allow to add new groups with
  privileged GIDs, which could result in allowing access to
  files/folders/devices that a user should not have access to.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnss-extrausers/+bug/785051/+subscriptions

More information about the foundations-bugs mailing list