[Adduser-devel] Re: [Pkg-shadow-devel] Bug#407231: passwd: users
may gain system group access on package installation by coincidence
bubulle at debian.org
Wed Jan 17 07:39:30 CET 2007
reassign 407231 adduser
retitle 407231 adduser: with addgroup, users may gain system group access on package installation by coincidence
Quoting Leonard Norrgård (vinsci at refactor.fi):
> Package: passwd
> Version: 1:18.104.22.168-6
> Severity: critical
> Tags: security
> Justification: root security hole
> An ordinary user may end up with group ownership of system files
> in the following scenario :
> 1. A user is added, and receives the user and group ids, <name>.
> 2. Later, a package is installed that asks for an identically named
> system group to be created, using 'addgroup --system <name>'.
> 3. Addgroup returns with a success exit status, showing the message
> 'The group `<name>' already exists as a system group. Exiting.",
> even though the pre-existing <name> group, as a group added for
> a user has a non-system id (ie. outside the range 100-999 .
> 4. The user <name> now has access to all system files that are
> installed for the <name> group.
> The problem occurs because in /usr/sbin/addgroup, the code on/after
> line 247 to existing_group_ok fails to check for and handle
> the situation where the existing GID is outside of the system GID
>  http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2)
>  I discovered this while working on the packaging for kvm, which
> will create a 'kvm' group, likely to collide with existing user
> id:s on some systems.
Thanks for your detailed explanations and bug report. I won't go into
the details, essentially because this bug report is misdirected. At
first glance, you seem to be right and the bug seems easy to handle.
You identified the bug as a bug in the "addgroup" utility. However
"dpkg -S /usr/sbin/addgroup" will show you that this utility belongs
to the "adduser" package, not passwd.
I'm therefore reassigning this bug to adduser.
Again, thanks a lot for your care investigating this issue.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20070117/7ef550f5/attachment.pgp
More information about the Adduser-devel