Ubuntu
slocate package

slocate has been installed with a wrong group (conflict with NIS)

Bug #10539 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
slocate (Debian)
Fix Released
Unknown
slocate (Ubuntu)
Invalid
High
Unassigned

Bug Description

Automatically imported from Debian bug report #282355 http://bugs.debian.org/282355

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sun, 21 Nov 2004 16:57:03 +0100
From: Vincent Lefevre <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: slocate has been installed with a wrong group (conflict with NIS)

Package: slocate
Version: 2.7-4
Severity: grave
Justification: user security hole

The slocate package has been installed with a wrong group, apparently
due to a conflict with NIS:

dixsept:~# ls -l /usr/bin/slocate /var/lib/slocate/slocate.db
-rwxr-sr-x 1 root fax 27064 Sep 14 07:48 /usr/bin/slocate
-rw-r----- 1 root fax 2217900 Nov 21 16:51 /var/lib/slocate/slocate.db
dixsept:~# grep fax /etc/group
fax:x:21:
dixsept:~# ypmatch slocate group
slocate:*:21:root # pour linux
dixsept:~# grep ^group: /etc/nsswitch.conf
group: files nis

It seems that the slocate installation script thought that the slocate
group already existed since it is a NIS group. But the corresponding
gid is already used in /etc/group (Debian doesn't seem to have a way
to avoid that). The consequence is that potential users added to group
fax will be able to read private data from the slocate database.

Moreover slocate can't be completely removed:

[...]
Removing group `slocate'...
groupdel: error removing group entry
groupdel: error removing shadow group entry
/usr/sbin/delgroup: `/usr/sbin/groupdel slocate' returned error code 10. Aborting.
dpkg: error processing slocate (--remove):
 subprocess post-removal script returned error exit status 10
chown: cannot access `/usr/bin/slocate': No such file or directory
dpkg: error while cleaning up:
 subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
 slocate
E: Sub-process /usr/bin/dpkg returned an error code (1)

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)

Versions of packages slocate depends on:
ii adduser 3.59 Add and remove users and groups
ii dpkg 1.10.25 Package maintenance system for Deb
ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an

-- no debconf information

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Sat, 27 Nov 2004 23:24:41 +0000
From: Steve McIntyre <email address hidden>
To: <email address hidden>
Subject: Re: slocate has been installed with a wrong group (conflict with NIS)

severity 282355 wishlist
thanks

This is _not_ a serious bug in slocate. If anything, this should be a
wishlist bug against login (the package providing sg) or adduser
(addgroup) for not recognising the NIS groups. Please reassign to one
of those if necessary, but the fundamental problem is that your Debian
system doesn't agree with your NIS setup.

--=20
Steve McIntyre, Cambridge, UK. steve@einval.=
com
  Mature Sporty Personal
  More Innovation More Adult
  A Man in Dandism
  Powered Midship Specialty

Revision history for this message
Matt Zimmerman (mdz) wrote :

gid collisions between NIS and /etc/group cause bad things to happen

Bug Watch Updater (bug-watch-updater)
Changed in slocate (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.