[Bug 785051] [NEW] groupsfile is ignored when any entry has id < 500

Launchpad Bug Tracker 785051 at bugs.launchpad.net
Thu Jan 18 16:21:27 UTC 2024 

You have been subscribed to a public bug by Ubuntu Foundations Team Bug Bot (crichton):

[Impact]
Binary package hint: libnss-extrausers

If any /var/lib/extrausers/group entry has a gid < 500 then all entries
from this file are ignored. libnss-extrausers-0.4 and libnss-
extrausers-0.6-4 are affected as well. This bug also affects Ubuntu Core
Desktop in an important way, because it heavily depends on extrausers,
so currently it has to use a patched .deb file to fix this. This is one
of the reasons to ask for a SRU for this bug.

The following file works fine, the entries appear in 'getent group'
output.

extra0:x:500
extra1:x:501

This file however is not read properly, the entries are missing in
output.

extra0:x:499
extra1:x:501

The system in question for the original report was Ubuntu 10.04, libc6
version is 2.13-0ubuntu13, but it also happens in Jammy.

[Test plan]

* install the libnss-extrausers package
* edit the /etc/nsswitch.conf file, and modify the "group:" entry to include into it "compat extrausers". For example, it the entry didn't exist, it should be added as:

    group: compat extrausers

; instead, if it already existed as, for example, "group: files
systemd", then add that at the end, thus:

    group: files systemd compat extrausers

* edit the /var/lib/extrausers/group file and add this entry:

    test1:x:1008:

(previously ensuring that there is neither group test1, nor gid 1008 in
the /etc/group file)

* exit the editor and type

    getent group |grep test

it should show the previous entry.

* edit again the /var/lib/extrausers/group file and add this entry along
with the previous one:

    test2:x:496:

(again, ensure that there is neither group test2, nor gid 496 in the
/etc/group file)

* exit the editor and type again:

    getent group |grep test

[Expected results]

Both "test1:x:1008:" and "test2:x:496:" entries should be shown.
Instead, if the package is buggy, no entry will be shown.

[Where problems could occur]

An incorrect set of access permissions for the /var/lib/extrausers/group
file could allow to add new groups with privileged GIDs, which could
result in allowing access to files/folders/devices that a user should
not have access to.

** Affects: libnss-extrausers (Ubuntu)
     Importance: Undecided
         Status: Confirmed

** Affects: libnss-extrausers (Debian)
     Importance: Undecided
         Status: New


** Tags: patch
-- 
groupsfile is ignored when any entry has id < 500
https://bugs.launchpad.net/bugs/785051
You received this bug notification because you are a member of Ubuntu Sponsors, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list