[Bug 2063200] Re: useradd --extrausers --groups tries to lock /etc/group

Simon Chopin 2063200 at bugs.launchpad.net
Mon Jul 1 11:02:24 UTC 2024 

You're right, I forgot to ping them!

On Mon, Jul 1, 2024 at 11:45 AM Łukasz Zemczak <2063200 at bugs.launchpad.net>
wrote:

> Did we get verification from the Ubuntu Core team if this actually fixes
> the problem for them? Looks like it's a required step in the
> verification.
>
> --
> You received this bug notification because you are a bug assignee.
> https://bugs.launchpad.net/bugs/2063200
>
> Title:
>   useradd --extrausers --groups tries to lock /etc/group
>
> Status in shadow package in Ubuntu:
>   Fix Released
> Status in shadow source package in Jammy:
>   Invalid
> Status in shadow source package in Mantic:
>   Won't Fix
> Status in shadow source package in Noble:
>   Fix Committed
> Status in shadow source package in Oracular:
>   Fix Released
>
> Bug description:
>   [ Impact ]
>
>   On Ubuntu Core 24 calling the command line
>
>   useradd --extrausers --groups somegroup somenewuser
>
>   ... fails with:
>
>   useradd: cannot lock /etc/group; try again later.
>
>   It worked on 22.04. /etc is not writable. It also fails if somegroup
>   is a group in extrausers.
>
>   [ Test Plan ]
>
>   Part of the upload is adding an autopkgtest script testing useradd and
>   usermod in the extrausers+readonly-etc case.
>
>   In addition, the following commands should be run as root in a fresh
>   container:
>
>   ```
>   # Install prerequisites
>   apt install libnss-extrausers
>   sed -i -r '/^(passwd|group|shadow|gshadow)/ s/$/ extrausers/'
> /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow
>
>   # Sanity checks of "normal" path
>   groupadd etcgroup
>   useradd --groups etcgroup etcuser
>   id etcuser | grep etcgroup
>   groupadd etcgroup2
>   usermod --groups etcgroup2 etcuser
>   id etcuser | grep etcgroup2
>   useradd --groups nullgroup etcuser || echo Successfully rejected invalid
> group
>
>   ls /var/lib/extrausers/ # should be empty
>
>   # Sanity checks of "extrausers" path in rw context
>   groupadd --extrausers extragroup
>   useradd --extrausers --groups extragroup extrauser # currently fails
>   id extrauser | grep extragroup
>   useradd --extrausers extrauser2
>   id extrauser2
>
>   # Sanity checks of "extrausers" path in ro context
>   mv /etc /etc-rw
>   mkdir /etc
>   mount -o bind,ro /etc-rw /etc
>   groupadd --extrausers extragroup2
>   useradd --extrausers --groups etcgroup extrauser3
>   id extrauser4 | grep etcgroup
>   ```
>
>   Furthermore, validation from the Ubuntu Core team that this actually
> fixes
>   their use case is required.
>
>   [ Where problems could occur ]
>
>   Regression potential is in the group validation stage of the `usermod`
> and
>   `useradd` tools. Besides the usual risks related to C code, the various
> failure
>   scenarios that come to mind are:
>
>   * try to add the user to an non-existing local group, which would fail
> further
>     down with a different error message
>   * actually fail to identify a valid local group
>   * Fail to either add the user to the system, or the user to the group
>   * Update the wrong file (/var/lib/extrausers/* vs /etc/*)
>
> To manage notifications about this bug go to:
>
> https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2063200/+subscriptions
>
> Launchpad-Notification-Type: bug
> Launchpad-Bug: distribution=ubuntu; sourcepackage=shadow; component=main;
> status=Fix Released; importance=Undecided; assignee=
> simon.chopin at canonical.com;
> Launchpad-Bug: distribution=ubuntu; distroseries=jammy;
> sourcepackage=shadow; component=main; status=Invalid; importance=Undecided;
> assignee=None;
> Launchpad-Bug: distribution=ubuntu; distroseries=mantic;
> sourcepackage=shadow; component=main; status=Won't Fix;
> importance=Undecided; assignee=None;
> Launchpad-Bug: distribution=ubuntu; distroseries=noble;
> sourcepackage=shadow; component=main; status=Fix Committed;
> importance=High; assignee=simon.chopin at canonical.com;
> Launchpad-Bug: distribution=ubuntu; distroseries=oracular;
> sourcepackage=shadow; component=main; status=Fix Released;
> importance=Undecided; assignee=simon.chopin at canonical.com;
> Launchpad-Bug-Tags: foundations-todo regression-proposed verification-done
> verification-done-noble
> Launchpad-Bug-Information-Type: Public
> Launchpad-Bug-Private: no
> Launchpad-Bug-Security-Vulnerability: no
> Launchpad-Bug-Commenters: janitor marius-vollmer-gmail schopin sil2100
> tjaalton ubuntu-sru-bot valentin.david vorlon
> Launchpad-Bug-Reporter: Valentin David (valentin.david)
> Launchpad-Bug-Modifier: Łukasz Zemczak (sil2100)
> Launchpad-Message-Rationale: Assignee
> Launchpad-Message-For: schopin
>
>

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/2063200

Title:
  useradd --extrausers --groups tries to lock /etc/group

Status in shadow package in Ubuntu:
  Fix Released
Status in shadow source package in Jammy:
  Invalid
Status in shadow source package in Mantic:
  Won't Fix
Status in shadow source package in Noble:
  Fix Committed
Status in shadow source package in Oracular:
  Fix Released

Bug description:
  [ Impact ]

  On Ubuntu Core 24 calling the command line

  useradd --extrausers --groups somegroup somenewuser

  ... fails with:

  useradd: cannot lock /etc/group; try again later.

  It worked on 22.04. /etc is not writable. It also fails if somegroup
  is a group in extrausers.

  [ Test Plan ]

  Part of the upload is adding an autopkgtest script testing useradd and
  usermod in the extrausers+readonly-etc case.

  In addition, the following commands should be run as root in a fresh
  container:

  ```
  # Install prerequisites
  apt install libnss-extrausers
  sed -i -r '/^(passwd|group|shadow|gshadow)/ s/$/ extrausers/' /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow

  # Sanity checks of "normal" path
  groupadd etcgroup
  useradd --groups etcgroup etcuser
  id etcuser | grep etcgroup
  groupadd etcgroup2
  usermod --groups etcgroup2 etcuser
  id etcuser | grep etcgroup2
  useradd --groups nullgroup etcuser || echo Successfully rejected invalid group

  ls /var/lib/extrausers/ # should be empty

  # Sanity checks of "extrausers" path in rw context
  groupadd --extrausers extragroup
  useradd --extrausers --groups extragroup extrauser # currently fails
  id extrauser | grep extragroup
  useradd --extrausers extrauser2
  id extrauser2

  # Sanity checks of "extrausers" path in ro context
  mv /etc /etc-rw
  mkdir /etc
  mount -o bind,ro /etc-rw /etc
  groupadd --extrausers extragroup2
  useradd --extrausers --groups etcgroup extrauser3
  id extrauser4 | grep etcgroup
  ```

  Furthermore, validation from the Ubuntu Core team that this actually fixes
  their use case is required.

  [ Where problems could occur ]

  Regression potential is in the group validation stage of the `usermod` and
  `useradd` tools. Besides the usual risks related to C code, the various failure
  scenarios that come to mind are:

  * try to add the user to an non-existing local group, which would fail further
    down with a different error message
  * actually fail to identify a valid local group
  * Fail to either add the user to the system, or the user to the group
  * Update the wrong file (/var/lib/extrausers/* vs /etc/*)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2063200/+subscriptions

More information about the foundations-bugs mailing list