[Bug 2063200] Re: useradd --extrausers --groups tries to lock /etc/group

Simon Chopin 2063200 at bugs.launchpad.net
Tue Jun 25 15:28:13 UTC 2024 

Verification done:

ii  passwd         1:4.13+dfsg1-4ubuntu3.2 amd64        change and administer password and group data
+ apt-get -q install -y libnss-extrausers
Reading package lists...
Building dependency tree...
Reading state information...
Suggested packages:
  libc6-i386
The following NEW packages will be installed:
  libnss-extrausers
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 13.2 kB of archives.
After this operation, 55.3 kB of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu noble/universe amd64 libnss-extrausers amd64 0.6-5 [13.2 kB]
Fetched 13.2 kB in 0s (345 kB/s)
Selecting previously unselected package libnss-extrausers.
(Reading database ... 34405 files and directories currently installed.)
Preparing to unpack .../libnss-extrausers_0.6-5_amd64.deb ...
Unpacking libnss-extrausers (0.6-5) ...
Setting up libnss-extrausers (0.6-5) ...
Processing triggers for libc-bin (2.39-0ubuntu8.2) ...
Scanning processes...

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.
+ sed -i -r '/^(passwd|group|shadow|gshadow)/ s/$/ extrausers/' /etc/nsswitch.conf
+ groupadd etcgroup
+ useradd --groups etcgroup etcuser
+ id etcuser
+ grep etcgroup
uid=1001(etcuser) gid=1002(etcuser) groups=1002(etcuser),1001(etcgroup)
+ groupadd etcgroup2
+ usermod --groups etcgroup2 etcuser
+ id etcuser
+ grep etcgroup2
uid=1001(etcuser) gid=1002(etcuser) groups=1002(etcuser),1003(etcgroup2)
+ useradd --groups nullgroup etcuser
useradd: group 'nullgroup' does not exist
+ echo Successfully rejected invalid group
Successfully rejected invalid group
++ ls /var/lib/extrausers
+ test '!' ''
+ groupadd --extrausers extragroup
ENTER EXTRAUSERS_GROUP_FILEEXIT EXTRAUSERS_GROUP_FILEENTER EXTRAUSERS_SHADOWGROUP_FILEEXIT EXTRAUSERS_SHADOWGROUP_FILE+ useradd --extrausers --groups extragroup extrauser
+ id extrauser
+ grep extragroup
uid=1002(extrauser) gid=1005(extrauser) groups=1005(extrauser),1004(extragroup)
+ useradd --extrausers extrauser2
+ id extrauser2
uid=1003(extrauser2) gid=1006(extrauser2) groups=1006(extrauser2)
+ mv /etc /etc-rw
+ mkdir /etc
+ mount -o bind,ro /etc-rw /etc
+ groupadd --extrausers extragroup2
ENTER EXTRAUSERS_GROUP_FILEEXIT EXTRAUSERS_GROUP_FILEENTER EXTRAUSERS_SHADOWGROUP_FILEEXIT EXTRAUSERS_SHADOWGROUP_FILE+ useradd --extrausers --groups extragroup2 extrauser3
+ id extrauser3
+ grep extragroup2
uid=1004(extrauser3) gid=1008(extrauser3) groups=1008(extrauser3),1007(extragroup2)

** Tags removed: verification-needed verification-needed-noble
** Tags added: verification-done verification-done-noble

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/2063200

Title:
  useradd --extrausers --groups tries to lock /etc/group

Status in shadow package in Ubuntu:
  Fix Released
Status in shadow source package in Jammy:
  Invalid
Status in shadow source package in Mantic:
  Won't Fix
Status in shadow source package in Noble:
  Fix Committed
Status in shadow source package in Oracular:
  Fix Released

Bug description:
  [ Impact ]

  On Ubuntu Core 24 calling the command line

  useradd --extrausers --groups somegroup somenewuser

  ... fails with:

  useradd: cannot lock /etc/group; try again later.

  It worked on 22.04. /etc is not writable. It also fails if somegroup
  is a group in extrausers.

  [ Test Plan ]

  Part of the upload is adding an autopkgtest script testing useradd and
  usermod in the extrausers+readonly-etc case.

  In addition, the following commands should be run as root in a fresh
  container:

  ```
  # Install prerequisites
  apt install libnss-extrausers
  sed -i -r '/^(passwd|group|shadow|gshadow)/ s/$/ extrausers/' /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow

  # Sanity checks of "normal" path
  groupadd etcgroup
  useradd --groups etcgroup etcuser
  id etcuser | grep etcgroup
  groupadd etcgroup2
  usermod --groups etcgroup2 etcuser
  id etcuser | grep etcgroup2
  useradd --groups nullgroup etcuser || echo Successfully rejected invalid group

  ls /var/lib/extrausers/ # should be empty

  # Sanity checks of "extrausers" path in rw context
  groupadd --extrausers extragroup
  useradd --extrausers --groups extragroup extrauser # currently fails
  id extrauser | grep extragroup
  useradd --extrausers extrauser2
  id extrauser2

  # Sanity checks of "extrausers" path in ro context
  mv /etc /etc-rw
  mkdir /etc
  mount -o bind,ro /etc-rw /etc
  groupadd --extrausers extragroup2
  useradd --extrausers --groups etcgroup extrauser3
  id extrauser4 | grep etcgroup
  ```

  Furthermore, validation from the Ubuntu Core team that this actually fixes
  their use case is required.

  [ Where problems could occur ]

  Regression potential is in the group validation stage of the `usermod` and
  `useradd` tools. Besides the usual risks related to C code, the various failure
  scenarios that come to mind are:

  * try to add the user to an non-existing local group, which would fail further
    down with a different error message
  * actually fail to identify a valid local group
  * Fail to either add the user to the system, or the user to the group
  * Update the wrong file (/var/lib/extrausers/* vs /etc/*)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2063200/+subscriptions

More information about the foundations-bugs mailing list