useradd/groupadd existence check races

useradd has a race between checking if a username is already in use and updating the pw database:

getpwnam check <http://anonscm.debian.org/cgit/pkg-shadow/shadow.git/tree/src/useradd.c#n2085>
open_files lock on line 2127 of same

groupadd has a race between checking if a groupname is already in use and updating the gr database:

getgrnam check <http://anonscm.debian.org/cgit/pkg-shadow/shadow.git/tree/src/groupadd.c#n483>
open_files lock on line 609 of same

This race is exhibited when multiple processes attempt to use the error return code of useradd/groupadd to indicate whether they have successfully created a unique user for themselves. If the race occurs, the uid/gid of the database entry may change out from under the first successful process as the second process finds an unused uid/gid and then updates the database using the same key (but the new uid/gid).

I believe this bug exists since at least shadow 4.1.4.2 in both Ubuntu and Debian distributions. I don't believe this bug is a security vulnerability except in contexts where attackers may have control over user/group creation by applications assuming that the database locks ensure non-collision.

Obligatory:

1)# lsb_release -rd
Description: Ubuntu 10.04 LTS
Release: 10.04

2)# apt-cache policy passwd
passwd:
  Installed: 1:4.1.4.2-1ubuntu2.2
  Candidate: 1:4.1.4.2-1ubuntu2.2
  Version table:
 *** 1:4.1.4.2-1ubuntu2.2 0
        500 http://www-uxsup.csx.cam.ac.uk/pub/linux/ubuntu/ lucid-updates/main Packages
        500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     1:4.1.4.2-1ubuntu2 0
        500 http://www-uxsup.csx.cam.ac.uk/pub/linux/ubuntu/ lucid/main Packages

3) groupadd/useradd should either consistently let the operator overwrite existing groups/users or should consistently produce a name collision error

4) groupadd/useradd sometimes exit due to name collisions and sometimes overwrite existing groups/users