Ubuntu
libnss-extrausers package

groupsfile is ignored when any entry has id < 500

Bug #785051 reported by Marcus Blomenkamp on 2011-05-19

14

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	libnss-extrausers (Debian)	New	Undecided	Unassigned
	libnss-extrausers (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

[Impact]
Binary package hint: libnss-extrausers

If any /var/lib/extrausers/group entry has a gid < 500 then all entries from this file are ignored. libnss-extrausers-0.4 and libnss-extrausers-0.6-4 are affected as well. This bug also affects Ubuntu Core Desktop in an important way, because it heavily depends on extrausers, so currently it has to use a patched .deb file to fix this. This is one of the reasons to ask for a SRU for this bug.

The following file works fine, the entries appear in 'getent group' output.

extra0:x:500
extra1:x:501

This file however is not read properly, the entries are missing in output.

extra0:x:499
extra1:x:501

The system in question for the original report was Ubuntu 10.04, libc6 version is 2.13-0ubuntu13, but it also happens in Jammy.

[Test plan]

* install the libnss-extrausers package
* edit the /etc/nsswitch.conf file, and modify the "group:" entry to include into it "compat extrausers". For example, it the entry didn't exist, it should be added as:

group: compat extrausers

; instead, if it already existed as, for example, "group: files systemd", then add that at the end, thus:

group: files systemd compat extrausers

* edit the /var/lib/extrausers/group file and add this entry:

test1:x:1008:

(previously ensuring that there is neither group test1, nor gid 1008 in the /etc/group file)

* exit the editor and type

getent group |grep test

it should show the previous entry.

* edit again the /var/lib/extrausers/group file and add this entry along with the previous one:

test2:x:496:

(again, ensure that there is neither group test2, nor gid 496 in the /etc/group file)

* exit the editor and type again:

getent group |grep test

[Expected results]

Both "test1:x:1008:" and "test2:x:496:" entries should be shown. Instead, if the package is buggy, no entry will be shown.

[Where problems could occur]

An incorrect set of access permissions for the /var/lib/extrausers/group file could allow to add new groups with privileged GIDs, which could result in allowing access to files/folders/devices that a user should not have access to.

See original description

Tags:

Marcus Blomenkamp (mblomenk) on 2011-05-19

description:

updated

Revision history for this message

Launchpad Janitor (janitor) wrote on 2017-03-20:

#1

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libnss-extrausers (Ubuntu):
status:	New → Confirmed

Revision history for this message

Sergio Costas (rastersoft-gmail) wrote on 2024-01-18:

#2

There is patched .deb in the Core Desktop PPA: https://launchpad.net/~desktop-snappers/+archive/ubuntu/core-desktop (version 0.6-4.1+ucd1).

description:

updated

Revision history for this message

Sergio Costas (rastersoft-gmail) wrote on 2024-01-18:

#3

This file contains the diff extracted from the .deb available in the Ubuntu Core Desktop PPA. Edit (2.2 KiB, text/plain)

Revision history for this message

Ubuntu Foundations Team Bug Bot (crichton) wrote on 2024-01-18:

#4

The attachment "This file contains the diff extracted from the .deb available in the Ubuntu Core Desktop PPA." seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags:

added: patch

Revision history for this message

Simon Quigley (tsimonq2) wrote on 2024-01-19:

#5

This seems rational to me. I would have hesitation if this was a more user-level application that is *creating* these GIDs. However, the purpose of this is as a tool for existing applications already leveraging these GIDs, so it's worth looking past.

Instead of uploading to Ubuntu, uploading to Debian with some minor DEP-3 tweaks to the patch. This should flow down to Ubuntu via autosync in the next 24 hours.

Recommended reading in case someone wants to know more about Debian Policy in this respect :) https://www.debian.org/doc/debian-policy/ch-opersys.html#uid-and-gid-classes

Changed in libnss-extrausers (Ubuntu):
status:	Confirmed → In Progress

Revision history for this message

Launchpad Janitor (janitor) wrote on 2024-01-20:

#6

This bug was fixed in the package libnss-extrausers - 0.6-5

---------------
libnss-extrausers (0.6-5) unstable; urgency=medium

  [ Simon Quigley ]
  * Team upload.
  * ACK the previous NMU on behalf of the Debian QA Team. Thank you!

  [ James Henstridge ]
  * Allow low group IDs in order to extend /etc/group group membership
    (LP: #785051).

-- Simon Quigley <email address hidden> Fri, 19 Jan 2024 11:53:07 -0600

Changed in libnss-extrausers (Ubuntu):
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

This file contains the diff extracted from the .deb available in the Ubuntu Core Desktop PPA. Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.