[Pkg-shadow-devel] Bug#407231: passwd: users may gain system group
access on package installation by coincidence
vinsci at refactor.fi
Wed Jan 17 02:54:26 CET 2007
Justification: root security hole
An ordinary user may end up with group ownership of system files
in the following scenario :
1. A user is added, and receives the user and group ids, <name>.
2. Later, a package is installed that asks for an identically named
system group to be created, using 'addgroup --system <name>'.
3. Addgroup returns with a success exit status, showing the message
'The group `<name>' already exists as a system group. Exiting.",
even though the pre-existing <name> group, as a group added for
a user has a non-system id (ie. outside the range 100-999 .
4. The user <name> now has access to all system files that are
installed for the <name> group.
The problem occurs because in /usr/sbin/addgroup, the code on/after
line 247 to existing_group_ok fails to check for and handle
the situation where the existing GID is outside of the system GID
 I discovered this while working on the packaging for kvm, which
will create a 'kvm' group, likely to collide with existing user
id:s on some systems.
-- System Information:
Debian Release: 4.0
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20-rc4-gd39c940
Locale: LANG=sv_FI.UTF-8, LC_CTYPE=sv_FI.UTF-8 (charmap=UTF-8)
Versions of packages passwd depends on:
ii debianutils 2.17.4 Miscellaneous utilities specific t
ii libc6 2.3.6.ds1-10 GNU C Library: Shared libraries
ii libpam-modules 0.79-4 Pluggable Authentication Modules f
ii libpam0g 0.79-4 Pluggable Authentication Modules l
ii libselinux1 1.32-3 SELinux shared libraries
ii login 1:184.108.40.206-6 system login tools
passwd recommends no packages.
-- debconf information:
More information about the Pkg-shadow-devel