libuuid user is created without a shell

Bug #1454897 reported by Joshua Timberman on 2015-05-14
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Debian)
Fix Released
Unknown
util-linux (Ubuntu)
Undecided
Unassigned

Bug Description

I'm reporting this bug against util-linux, which seems to be the source package for the affected packages related to the libuuid user:

* libuuid1
* uuid-runtime

Both of these packages manage the "libuuid" user. However, neither one of the sets a shell for the user. From the postinst scripts for both:

$ grep useradd /var/lib/dpkg/info/libuuid1\:amd64.postinst
   useradd -d /var/lib/libuuid -K UID_MIN=$FIRST_SYSTEM_UID -K UID_MAX=$LAST_SYSTEM_UID -g libuuid libuuid

$ grep useradd /var/lib/dpkg/info/uuid-runtime.postinst
   useradd -d /var/lib/libuuid -K UID_MIN=1 -K UID_MAX=499 -g libuuid libuuid

These postinst scripts should have a "-s /usr/sbin/nologin" (or /bin/false), because this is clearly a "system" user - the home directory is in /var/lib, and the UID/GID are set to a low range.

It would also be nice if the package included documentation that indicates why this user is needed, and what purpose this directory serves. I tried reading the util-linux source, but I couldn't find a definitive answer to this.

Joshua Timberman (jtimberman) wrote :

I submitted this to Debian's bug tracker as well. I'll update this when I get a link.

Changed in util-linux (Debian):
status: Unknown → New
Joshua Timberman (jtimberman) wrote :

The Debian bug was closed because it's no longer relevant for Debian because 8.0 is now released.

- https://sources.debian.net/src/util-linux/2.25.2-6/debian/uuid-runtime.postinst/
- https://sources.debian.net/src/util-linux/2.25.2-6/debian/libuuid1.postinst/

I think that Ubuntu 14.04 should incorporate the /bin/false shell in the postinst scripts for uuid-runtime and libuuid1.

Changed in util-linux (Debian):
status: New → Fix Released
Martin Pitt (pitti) wrote :

We got this version in Ubuntu 15.04. The libuuid user does not exist any more, it got renamed to uuidd. adduser creates system users without a shell on purpose, as an additional security measure. That's not something which we want to change.

Changed in util-linux (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.