Ubuntu
slocate package

Bug #10539
Comment #1

Comment 1 for bug 10539

Revision history for this message

Debian Bug Importer (debzilla) wrote on 2004-11-21:

Message-ID: <email address hidden>
Date: Sun, 21 Nov 2004 16:57:03 +0100
From: Vincent Lefevre <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: slocate has been installed with a wrong group (conflict with NIS)

Package: slocate
Version: 2.7-4
Severity: grave
Justification: user security hole

The slocate package has been installed with a wrong group, apparently
due to a conflict with NIS:

dixsept:~# ls -l /usr/bin/slocate /var/lib/slocate/slocate.db
-rwxr-sr-x 1 root fax 27064 Sep 14 07:48 /usr/bin/slocate
-rw-r----- 1 root fax 2217900 Nov 21 16:51 /var/lib/slocate/slocate.db
dixsept:~# grep fax /etc/group
fax:x:21:
dixsept:~# ypmatch slocate group
slocate:*:21:root # pour linux
dixsept:~# grep ^group: /etc/nsswitch.conf
group: files nis

It seems that the slocate installation script thought that the slocate
group already existed since it is a NIS group. But the corresponding
gid is already used in /etc/group (Debian doesn't seem to have a way
to avoid that). The consequence is that potential users added to group
fax will be able to read private data from the slocate database.

Moreover slocate can't be completely removed:

[...]
Removing group `slocate'...
groupdel: error removing group entry
groupdel: error removing shadow group entry
/usr/sbin/delgroup: `/usr/sbin/groupdel slocate' returned error code 10. Aborting.
dpkg: error processing slocate (--remove):
subprocess post-removal script returned error exit status 10
chown: cannot access `/usr/bin/slocate': No such file or directory
dpkg: error while cleaning up:
subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
slocate
E: Sub-process /usr/bin/dpkg returned an error code (1)

-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)

Versions of packages slocate depends on:
ii adduser 3.59 Add and remove users and groups
ii dpkg 1.10.25 Package maintenance system for Deb
ii libc6 2.3.2.ds1-18 GNU C Library: Shared libraries an

-- no debconf information

Message-ID: <20041121155703.GA30213@dixsept.loria.fr>
Date: Sun, 21 Nov 2004 16:57:03 +0100
From: Vincent Lefevre <vincent@vinc17.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: slocate has been installed with a wrong group (conflict with NIS)

Package: slocate
Version: 2.7-4
Severity: grave
Justification: user security hole

The slocate package has been installed with a wrong group, apparently
due to a conflict with NIS:

dixsept:~# ls -l /usr/bin/slocate /var/lib/slocate/slocate.db
-rwxr-sr-x  1 root fax 27064 Sep 14 07:48 /usr/bin/slocate
-rw-r-----  1 root fax 2217900 Nov 21 16:51 /var/lib/slocate/slocate.db
dixsept:~# grep fax /etc/group
fax:x:21:
dixsept:~# ypmatch slocate group
slocate:*:21:root   # pour linux
dixsept:~# grep ^group: /etc/nsswitch.conf
group:          files nis

Moreover slocate can't be completely removed:

[...]
Removing group `slocate'...
groupdel: error removing group entry
groupdel: error removing shadow group entry
/usr/sbin/delgroup: `/usr/sbin/groupdel slocate' returned error code 10.  Aborting.
dpkg: error processing slocate (--remove):
 subprocess post-removal script returned error exit status 10
chown: cannot access `/usr/bin/slocate': No such file or directory
dpkg: error while cleaning up:
 subprocess post-installation script returned error exit status 1
Errors were encountered while processing:
 slocate
E: Sub-process /usr/bin/dpkg returned an error code (1)

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)

Versions of packages slocate depends on:
ii  adduser                     3.59         Add and remove users and groups
ii  dpkg                        1.10.25      Package maintenance system for Deb
ii  libc6                       2.3.2.ds1-18 GNU C Library: Shared libraries an

-- no debconf information

Ubuntuslocate package

Comment 1 for bug 10539

Ubuntu
slocate package