[Bug 785051] Re: groupsfile is ignored when any entry has id < 500

Fri Jan 19 18:02:54 UTC 2024

This seems rational to me. I would have hesitation if this was a more
user-level application that is *creating* these GIDs. However, the
purpose of this is as a tool for existing applications already
leveraging these GIDs, so it's worth looking past.

Instead of uploading to Ubuntu, uploading to Debian with some minor
DEP-3 tweaks to the patch. This should flow down to Ubuntu via autosync
in the next 24 hours.

Recommended reading in case someone wants to know more about Debian
Policy in this respect :) https://www.debian.org/doc/debian-policy/ch-
opersys.html#uid-and-gid-classes

** Changed in: libnss-extrausers (Ubuntu)
       Status: Confirmed => In Progress

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/785051

Title:
  groupsfile is ignored when any entry has id < 500

Status in libnss-extrausers package in Ubuntu:
  In Progress
Status in libnss-extrausers package in Debian:
  New

Bug description:
  [Impact]
  Binary package hint: libnss-extrausers

  If any /var/lib/extrausers/group entry has a gid < 500 then all
  entries from this file are ignored. libnss-extrausers-0.4 and libnss-
  extrausers-0.6-4 are affected as well. This bug also affects Ubuntu
  Core Desktop in an important way, because it heavily depends on
  extrausers, so currently it has to use a patched .deb file to fix
  this. This is one of the reasons to ask for a SRU for this bug.

  The following file works fine, the entries appear in 'getent group'
  output.

  extra0:x:500
  extra1:x:501

  This file however is not read properly, the entries are missing in
  output.

  extra0:x:499
  extra1:x:501

  The system in question for the original report was Ubuntu 10.04, libc6
  version is 2.13-0ubuntu13, but it also happens in Jammy.

  [Test plan]

  * install the libnss-extrausers package
  * edit the /etc/nsswitch.conf file, and modify the "group:" entry to include into it "compat extrausers". For example, it the entry didn't exist, it should be added as:

      group: compat extrausers

  ; instead, if it already existed as, for example, "group: files
  systemd", then add that at the end, thus:

      group: files systemd compat extrausers

  * edit the /var/lib/extrausers/group file and add this entry:

      test1:x:1008:

  (previously ensuring that there is neither group test1, nor gid 1008
  in the /etc/group file)

  * exit the editor and type

      getent group |grep test

  it should show the previous entry.

  * edit again the /var/lib/extrausers/group file and add this entry
  along with the previous one:

      test2:x:496:

  (again, ensure that there is neither group test2, nor gid 496 in the
  /etc/group file)

  * exit the editor and type again:

      getent group |grep test

  [Expected results]

  Both "test1:x:1008:" and "test2:x:496:" entries should be shown.
  Instead, if the package is buggy, no entry will be shown.

  [Where problems could occur]

  An incorrect set of access permissions for the
  /var/lib/extrausers/group file could allow to add new groups with
  privileged GIDs, which could result in allowing access to
  files/folders/devices that a user should not have access to.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libnss-extrausers/+bug/785051/+subscriptions