[Bug 785051] Re: groupsfile is ignored when any entry has id < 500
Launchpad Bug Tracker
785051 at bugs.launchpad.net
Sat Jan 20 03:52:26 UTC 2024
This bug was fixed in the package libnss-extrausers - 0.6-5
---------------
libnss-extrausers (0.6-5) unstable; urgency=medium
[ Simon Quigley ]
* Team upload.
* ACK the previous NMU on behalf of the Debian QA Team. Thank you!
[ James Henstridge ]
* Allow low group IDs in order to extend /etc/group group membership
(LP: #785051).
-- Simon Quigley <tsimonq2 at debian.org> Fri, 19 Jan 2024 11:53:07 -0600
** Changed in: libnss-extrausers (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libnss-extrausers in Ubuntu.
https://bugs.launchpad.net/bugs/785051
Title:
groupsfile is ignored when any entry has id < 500
Status in libnss-extrausers package in Ubuntu:
Fix Released
Status in libnss-extrausers package in Debian:
New
Bug description:
[Impact]
Binary package hint: libnss-extrausers
If any /var/lib/extrausers/group entry has a gid < 500 then all
entries from this file are ignored. libnss-extrausers-0.4 and libnss-
extrausers-0.6-4 are affected as well. This bug also affects Ubuntu
Core Desktop in an important way, because it heavily depends on
extrausers, so currently it has to use a patched .deb file to fix
this. This is one of the reasons to ask for a SRU for this bug.
The following file works fine, the entries appear in 'getent group'
output.
extra0:x:500
extra1:x:501
This file however is not read properly, the entries are missing in
output.
extra0:x:499
extra1:x:501
The system in question for the original report was Ubuntu 10.04, libc6
version is 2.13-0ubuntu13, but it also happens in Jammy.
[Test plan]
* install the libnss-extrausers package
* edit the /etc/nsswitch.conf file, and modify the "group:" entry to include into it "compat extrausers". For example, it the entry didn't exist, it should be added as:
group: compat extrausers
; instead, if it already existed as, for example, "group: files
systemd", then add that at the end, thus:
group: files systemd compat extrausers
* edit the /var/lib/extrausers/group file and add this entry:
test1:x:1008:
(previously ensuring that there is neither group test1, nor gid 1008
in the /etc/group file)
* exit the editor and type
getent group |grep test
it should show the previous entry.
* edit again the /var/lib/extrausers/group file and add this entry
along with the previous one:
test2:x:496:
(again, ensure that there is neither group test2, nor gid 496 in the
/etc/group file)
* exit the editor and type again:
getent group |grep test
[Expected results]
Both "test1:x:1008:" and "test2:x:496:" entries should be shown.
Instead, if the package is buggy, no entry will be shown.
[Where problems could occur]
An incorrect set of access permissions for the
/var/lib/extrausers/group file could allow to add new groups with
privileged GIDs, which could result in allowing access to
files/folders/devices that a user should not have access to.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnss-extrausers/+bug/785051/+subscriptions
More information about the foundations-bugs
mailing list