[Adduser-devel] Bug#407231: passwd: users may gain system group access on package installation by coincidence

Stephen Gran sgran at debian.org
Wed Jan 17 12:45:08 CET 2007

reassign adduser

This one time, at band camp, Leonard Norrgård said:
> An ordinary user may end up with group ownership of system files
> in the following scenario [2]:
>  1. A user is added, and receives the user and group ids, <name>.
>  2. Later, a package is installed that asks for an identically named
>     system group to be created, using 'addgroup --system <name>'.
>  3. Addgroup returns with a success exit status, showing the message
>     'The group `<name>' already exists as a system group. Exiting.",
>     even though the pre-existing <name> group, as a group added for
>     a user has a non-system id (ie. outside the range 100-999 [1].

Aha.  I have checked in a fix for this.  We will upload shortly.

>  4. The user <name> now has access to all system files that are
>     installed for the <name> group.
> The problem occurs because in /usr/sbin/addgroup, the code on/after
> line 247 to existing_group_ok fails to check for and handle
> the situation where the existing GID is outside of the system GID
> boundaries.

The addgroup script comes from the adduser package.  Reassigning.

|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran at debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.alioth.debian.org/pipermail/adduser-devel/attachments/20070117/d68cd1a1/attachment.pgp

More information about the Adduser-devel mailing list