[Bug 2063200] Re: useradd --extrausers --groups tries to lock /etc/group
Simon Chopin
2063200 at bugs.launchpad.net
Wed May 22 15:04:31 UTC 2024
** Description changed:
+ [ Impact ]
+
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup is
a group in extrausers.
+
+ [ Test Plan ]
+
+ Part of the upload is adding an autopkgtest script testing useradd and
+ usermod in the extrausers+readonly-etc case.
+
+ In addition, the following commands should be run as root in a fresh
+ container:
+
+ ```
+ # Install prerequisites
+ apt install libnss-extrausers
+ vim /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow
+
+ # Sanity checks of "normal" path
+ groupadd etcgroup
+ useradd --groups etcgroup etcuser
+ id etcuser | grep etcgroup
+ groupadd etcgroup2
+ usermod --groups etcgroup2 etcuser
+ id etcuser | grep etcgroup2
+ useradd --groups nullgroup etcuser || echo Successfully rejected invalid group
+
+ ls /var/lib/extrausers/ # should be empty
+
+ # Sanity checks of "extrausers" path in rw context
+ groupadd --extrausers extragroup
+ useradd --extrausers --groups extragroup extrauser # currently fails
+ id extrauser | grep extragroup
+ useradd --extrausers extrauser2
+ id extrauser2
+ usermod --extrausers --groups extragroup extrauser2
+ id extrauser2 | grep extragroup
+
+ # Sanity checks of "extrausers" path in ro context
+ mv /etc /etc-rw
+ mkdir /etc
+ mount -o bind,ro /etc-rw /etc
+ groupadd --extrausers extragroup2
+ useradd --extrausers --groups etcgroup extrauser3
+ id extrauser4 | grep etcgroup
+ usermod --extrausers --groups extragroup2 extrauser3
+ id extrauser4 | grep extragroup2
+ ```
+
+
+ Furthermore, validation from the Ubuntu Core team that this actually fixes
+ their use case is required.
+
+ [ Where problems could occur ]
+
+ Regression potential is in the group validation stage of the `usermod` and
+ `useradd` tools. Besides the usual risks related to C code, the various failure
+ scenarios that come to mind are:
+
+ * try to add the user to an non-existing local group, which would fail further
+ down with a different error message
+ * actually fail to identify a valid local group
+ * Fail to either add the user to the system, or the user to the group
+ * Update the wrong file (/var/lib/extrausers/* vs /etc/*)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/2063200
Title:
useradd --extrausers --groups tries to lock /etc/group
Status in shadow package in Ubuntu:
Fix Committed
Status in shadow source package in Jammy:
Invalid
Status in shadow source package in Mantic:
Won't Fix
Status in shadow source package in Noble:
In Progress
Status in shadow source package in Oracular:
Fix Committed
Bug description:
[ Impact ]
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup
is a group in extrausers.
[ Test Plan ]
Part of the upload is adding an autopkgtest script testing useradd and
usermod in the extrausers+readonly-etc case.
In addition, the following commands should be run as root in a fresh
container:
```
# Install prerequisites
apt install libnss-extrausers
vim /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow
# Sanity checks of "normal" path
groupadd etcgroup
useradd --groups etcgroup etcuser
id etcuser | grep etcgroup
groupadd etcgroup2
usermod --groups etcgroup2 etcuser
id etcuser | grep etcgroup2
useradd --groups nullgroup etcuser || echo Successfully rejected invalid group
ls /var/lib/extrausers/ # should be empty
# Sanity checks of "extrausers" path in rw context
groupadd --extrausers extragroup
useradd --extrausers --groups extragroup extrauser # currently fails
id extrauser | grep extragroup
useradd --extrausers extrauser2
id extrauser2
usermod --extrausers --groups extragroup extrauser2
id extrauser2 | grep extragroup
# Sanity checks of "extrausers" path in ro context
mv /etc /etc-rw
mkdir /etc
mount -o bind,ro /etc-rw /etc
groupadd --extrausers extragroup2
useradd --extrausers --groups etcgroup extrauser3
id extrauser4 | grep etcgroup
usermod --extrausers --groups extragroup2 extrauser3
id extrauser4 | grep extragroup2
```
Furthermore, validation from the Ubuntu Core team that this actually fixes
their use case is required.
[ Where problems could occur ]
Regression potential is in the group validation stage of the `usermod` and
`useradd` tools. Besides the usual risks related to C code, the various failure
scenarios that come to mind are:
* try to add the user to an non-existing local group, which would fail further
down with a different error message
* actually fail to identify a valid local group
* Fail to either add the user to the system, or the user to the group
* Update the wrong file (/var/lib/extrausers/* vs /etc/*)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/shadow/+bug/2063200/+subscriptions
More information about the foundations-bugs
mailing list