[Adduser-devel] Bug#407231: passwd: users may gain system group
access on package installation by coincidence
Stephen Gran
sgran at debian.org
Wed Jan 17 12:45:08 CET 2007
reassign adduser
thanks
This one time, at band camp, Leonard Norrgård said:
> An ordinary user may end up with group ownership of system files
> in the following scenario [2]:
>
> 1. A user is added, and receives the user and group ids, <name>.
> 2. Later, a package is installed that asks for an identically named
> system group to be created, using 'addgroup --system <name>'.
> 3. Addgroup returns with a success exit status, showing the message
> 'The group `<name>' already exists as a system group. Exiting.",
> even though the pre-existing <name> group, as a group added for
> a user has a non-system id (ie. outside the range 100-999 [1].
Aha. I have checked in a fix for this. We will upload shortly.
> 4. The user <name> now has access to all system files that are
> installed for the <name> group.
>
> The problem occurs because in /usr/sbin/addgroup, the code on/after
> line 247 to existing_group_ok fails to check for and handle
> the situation where the existing GID is outside of the system GID
> boundaries.
The addgroup script comes from the adduser package. Reassigning.
Thanks,
--
-----------------------------------------------------------------
| ,''`. Stephen Gran |
| : :' : sgran at debian.org |
| `. `' Debian user, admin, and developer |
| `- http://www.debian.org |
-----------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20070117/d68cd1a1/attachment.pgp
More information about the Adduser-devel
mailing list