[Adduser-devel] Bug#701110: adduser removes cloned-uid usernames, during gpasswd -M ... (get_group_members() bug)
Daniel Heimann
debian-bugreport at lancrew.de
Thu Feb 21 17:49:33 UTC 2013
Package: adduser
Version: 3.112+nmu2
Severity: important
Tags: patch
if adduser needs to call gpasswd -M (e.g. when adding the new user to groups,
because of EXTRA_GROUPS in adduser.conf) it uses get_group_members() to first
retrieve other users that have been added to the group before. It then adds
the new user to the list and calls gpasswd with all users alltogether.
When uid-cloned systemusers (two usernames, same userid) are members of such
a group, all but the first (as listed in passwd) get removed, due to adduser's
wrong call to gpasswd. The reason is get_group_members() returns wrong
@members, because getpwuid(getpwnam($_)) eq $_ does not match for cloned uid's.
Instead the first matching username (as listed in passwd) is returned by
getpwuid which is not $_ in this case, so the uid-cloned users do not get
pushed to @members.
get_group_members() (contained in /usr/share/perl5/Debian/AdduserCommon.pm)
is defined as
sub get_group_members
{
my $group = shift;
my @members;
foreach (split(/ /, (getgrnam($group))[3])) {
if (getpwuid(getpwnam($_)) eq $_ ) {
push @members, $_;
}
}
return @members;
}
While searching for the reason why this is broken in Squeeze and Wheezy, but
not Etch, I found http://anonscm.debian.org/viewvc/adduser/trunk/AdduserCommon.pm?r1=646&r2=732
It seems the getpwuid(getpwnam($_)) part was made, to prevent root from being removed
from groups (because UID 0 "failed" the if), which is nice. In order to have this still
fixed (allow root to be and stay part of groups), not break cloned-uids usernames and
still validate that processed users actually exist I'd propose the use of defined, like:
sub get_group_members
{
my $group = shift;
my @members;
foreach (split(/ /, (getgrnam($group))[3])) {
if (defined getpwnam($_)) {
push @members, $_;
}
}
return @members;
}
Works for me (in all described cases).
-- System Information:
Debian Release: 6.0.6
APT prefers stable
APT policy: (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
Locale: LANG=de_DE at euro, LC_CTYPE=de_DE at euro (charmap=ISO-8859-15) (ignored: LC_ALL set to de_DE at euro)
Shell: /bin/sh linked to /bin/bash
Versions of packages adduser depends on:
ii debconf [de 1.5.36.1 Debian configuration management sy
ii passwd 1:4.1.4.2+svn3283-2+squeeze1 change and administer password and
ii perl-base 5.10.1-17squeeze4 minimal Perl system
adduser recommends no packages.
Versions of packages adduser suggests:
ii liblocale-gettext-perl 1.05-6 Using libc functions for internati
ii perl-modules 5.10.1-17squeeze4 Core Perl modules
-- debconf information excluded
More information about the Adduser-devel
mailing list