[Pkg-shadow-devel] Bug#990350: Bug#990350: shadow: spurious subuid/subgid entries

Serge E. Hallyn serge at hallyn.com
Sat Jun 26 17:57:55 BST 2021


On Sat, Jun 26, 2021 at 05:57:02PM +0200, Christoph Anton Mitterer wrote:
> Source: shadow
> Version: 1:4.8.1-1
> Severity: normal
> 
> 
> Hey there.
> 
> 
> I've recently noted that some of my systems had entries like
> 
> $ cat /etc/subuid
> debian-security-support:100000:65536
> lightdm:427680:65536
> _apt:493216:65536
> 
> $ cat /etc/subgid
> debian-security-support:100000:65536
> lightdm:427680:65536
> _apt:493216:65536
> 
> 
> While in a freshly debootstrapped chroot, with the same packages installed
> there is neither of these entries.
> 
> I tried to find out whther these packages themselves ever manually added
> the entries, but it doesn't seem so, the just call adduesr.

adduser does not create the entries, but useradd does.  That is because
useradd ships from the shadow soure package, adduser does not.

> After a while of trying I've noted - and this is the main reason for this
> (possible) bug - that entries are created for normal users, but not for
> system users.
> 
> No sure if this is by accident - if not, it should perhaps at least documented
> in the manpage.

The fact that it doesn't happen for system users is not clearly spelled
out, you're right.

> It's still a bit strange though, that I see exactly those entries from
> above in my files, cause when I look at my passwd it has:
> ...
> dnsmasq:x:120:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
> dcmtk:x:122:139::/var/lib/dcmtk/db:/bin/sh
> debian-security-support:x:123:140:Debian security support check,,,:/var/lib/debian-security-support:/bin/false
> uuidd:x:100:102::/run/uuidd:/usr/sbin/nologin
> lightdm:x:128:146:Light Display Manager:/var/lib/lightdm:/bin/false
> _apt:x:129:65534::/nonexistent:/usr/sbin/nologin
> libvirt-qemu:x:64055:127:Libvirt Qemu,,,:/var/lib/libvirt:/usr/sbin/nologin
> ...
> 
> Now let's assume the behaviour of adding subuid/subgid entries started some
> time after my dcmtk was created... and ended for system users some time
> before libvirt-qemu was created...
> then it still doesn't explain why uuidd, which was chronologically likely in
> between, didn't get one.

Could adduser vs useradd explain it?

> Cheers,
> Chris.
> 
> PS: Is there recommended way to add the subuid/subgid entries for all those
> users/groups that were created before this was introduced and which would
> get them, were they created now?

You could script that through usermod, but it might be worth explicitly
adding a usermod flag to say 'only add subuid if it doesn't already
have one'



More information about the Pkg-shadow-devel mailing list