[Adduser-devel] Bug#701110: adduser removes cloned-uid usernames, during gpasswd -M ... (get_group_members() bug)

Daniel Heimann debian-bugreport at lancrew.de
Thu Feb 21 17:49:33 UTC 2013 

Package: adduser
Version: 3.112+nmu2
Severity: important
Tags: patch

if adduser needs to call gpasswd -M (e.g. when adding the new user to groups,
because of EXTRA_GROUPS in adduser.conf) it uses get_group_members() to first
retrieve other users that have been added to the group before. It then adds
the new user to the list and calls gpasswd with all users alltogether.

When uid-cloned systemusers (two usernames, same userid) are members of such
a group, all but the first (as listed in passwd) get removed, due to adduser's
wrong call to gpasswd. The reason is get_group_members() returns wrong
@members, because getpwuid(getpwnam($_)) eq $_ does not match for cloned uid's.
Instead the first matching username (as listed in passwd) is returned by
getpwuid which is not $_ in this case, so the uid-cloned users do not get
pushed to @members.

get_group_members() (contained in /usr/share/perl5/Debian/AdduserCommon.pm)
is defined as

sub get_group_members
  {
      my $group = shift;
      my @members;
      foreach (split(/ /, (getgrnam($group))[3])) {
          if (getpwuid(getpwnam($_)) eq $_ ) {
              push @members, $_;
          }
      }
      return @members;
  }

While searching for the reason why this is broken in Squeeze and Wheezy, but
not Etch, I found http://anonscm.debian.org/viewvc/adduser/trunk/AdduserCommon.pm?r1=646&r2=732

It seems the getpwuid(getpwnam($_)) part was made, to prevent root from being removed
from groups (because UID 0 "failed" the if), which is nice. In order to have this still
fixed (allow root to be and stay part of groups), not break cloned-uids usernames and
still validate that processed users actually exist I'd propose the use of defined, like:

sub get_group_members
  {
      my $group = shift;
      my @members;
      foreach (split(/ /, (getgrnam($group))[3])) {
          if (defined getpwnam($_)) {
              push @members, $_;
          }
      }
      return @members;
  }

Works for me (in all described cases).


-- System Information:
Debian Release: 6.0.6
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15) (ignored: LC_ALL set to de_DE at euro)
Shell: /bin/sh linked to /bin/bash

Versions of packages adduser depends on:
ii  debconf [de 1.5.36.1                     Debian configuration management sy
ii  passwd      1:4.1.4.2+svn3283-2+squeeze1 change and administer password and
ii  perl-base   5.10.1-17squeeze4            minimal Perl system

adduser recommends no packages.

Versions of packages adduser suggests:
ii  liblocale-gettext-perl 1.05-6            Using libc functions for internati
ii  perl-modules           5.10.1-17squeeze4 Core Perl modules

-- debconf information excluded

More information about the Adduser-devel mailing list