[Adduser-devel] Processed: Re: [Pkg-shadow-devel] Bug#407231: passwd: users may gain system group access on package installation by coincidence

[Marc Haber]

tags #407231 confirmed
thanks

I can reproduce this bug on sid adduser and have written (and
committed) a test suite case to catch this.

I _think_ that this patch fixes the issue:
Index: adduser
===================================================================
--- adduser     (revision 689)
+++ adduser     (working copy)
@@ -244,11 +244,11 @@
 #################
 if ($action eq "addsysgroup") {
     # Check if requested group already exists and we can exit safely
-    if (existing_group_ok($new_name, $new_gid) == 1) {
+    if (existing_group_ok($new_name, $new_gid) == 2) {
        printf (gtx("The group `%s' already exists as a system group. Exiting.\n"), $new_name) if $verbose;
        exit 0;
     }
-    if (existing_group_ok($new_name, $new_gid) == 2) {
+    if (existing_group_ok($new_name, $new_gid) == 1) {
        printf (gtx("The group `%s' already exists, but has a different GID. Exiting.\n"), $new_name) if $verbose;
        exit 1;
     }
@@ -695,21 +695,21 @@

 # returns 0 if the group doesn't exist or
 # returns 1 if the group already exists with the specified gid (or $new_gid wasn't specified)
-# returns 2 if the group already exists, but $new_gid doesn't match its gid
+# returns 2 if the group already exists as a system group
 sub existing_group_ok {
     my($new_name,$new_gid) = @_;
     my ($dummy1,$dummy2,$gid);
     if (($dummy1,$dummy2,$gid) = getgrnam($new_name)) {
+       if( $gid >= $config{"first_system_gid"} &&
+           $gid <= $config{"last_system_gid" } ) {
+               return 2;
+       }
        if( defined($new_gid) && $gid == $new_gid ) {
            return 1;
        }
        if (! defined($new_gid)) {
                return 1;
        }
-       if( $gid >= $config{"first_system_gid"} &&
-           $gid <= $config{"last_system_gid" } ) {
-               return 2;
-       }
     } else {
        return 0;
     }

I would like the people who are more knowledgeable with that part of
the code to comment before I commit this.

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835