[Pkg-shadow-devel] Bug#407231: passwd: users may gain system group access on package installation by coincidence

Leonard Norrgård vinsci at refactor.fi
Wed Jan 17 02:54:26 CET 2007

Package: passwd
Version: 1:
Severity: critical
Tags: security
Justification: root security hole

An ordinary user may end up with group ownership of system files
in the following scenario [2]:

 1. A user is added, and receives the user and group ids, <name>.
 2. Later, a package is installed that asks for an identically named
    system group to be created, using 'addgroup --system <name>'.
 3. Addgroup returns with a success exit status, showing the message
    'The group `<name>' already exists as a system group. Exiting.",
    even though the pre-existing <name> group, as a group added for
    a user has a non-system id (ie. outside the range 100-999 [1].
 4. The user <name> now has access to all system files that are
    installed for the <name> group.

The problem occurs because in /usr/sbin/addgroup, the code on/after
line 247 to existing_group_ok fails to check for and handle
the situation where the existing GID is outside of the system GID

[1] http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.2.2)
[2] I discovered this while working on the packaging for kvm, which
    will create a 'kvm' group, likely to collide with existing user
    id:s on some systems.

-- System Information:
Debian Release: 4.0
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20-rc4-gd39c940
Locale: LANG=sv_FI.UTF-8, LC_CTYPE=sv_FI.UTF-8 (charmap=UTF-8)

Versions of packages passwd depends on:
ii  debianutils                 2.17.4       Miscellaneous utilities specific t
ii  libc6                       2.3.6.ds1-10 GNU C Library: Shared libraries
ii  libpam-modules              0.79-4       Pluggable Authentication Modules f
ii  libpam0g                    0.79-4       Pluggable Authentication Modules l
ii  libselinux1                 1.32-3       SELinux shared libraries
ii  login                       1: system login tools

passwd recommends no packages.

-- debconf information:
  passwd/username: vinsci
  passwd/shadow: true
  passwd/make-user: true

More information about the Pkg-shadow-devel mailing list