Ubuntu
util-linux package

libuuid user is created without a shell

Bug #1454897 reported by Joshua Timberman
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Debian)
Fix Released
Unknown
util-linux (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

I'm reporting this bug against util-linux, which seems to be the source package for the affected packages related to the libuuid user:

* libuuid1
* uuid-runtime

Both of these packages manage the "libuuid" user. However, neither one of the sets a shell for the user. From the postinst scripts for both:

$ grep useradd /var/lib/dpkg/info/libuuid1\:amd64.postinst
   useradd -d /var/lib/libuuid -K UID_MIN=$FIRST_SYSTEM_UID -K UID_MAX=$LAST_SYSTEM_UID -g libuuid libuuid

$ grep useradd /var/lib/dpkg/info/uuid-runtime.postinst
   useradd -d /var/lib/libuuid -K UID_MIN=1 -K UID_MAX=499 -g libuuid libuuid

These postinst scripts should have a "-s /usr/sbin/nologin" (or /bin/false), because this is clearly a "system" user - the home directory is in /var/lib, and the UID/GID are set to a low range.

It would also be nice if the package included documentation that indicates why this user is needed, and what purpose this directory serves. I tried reading the util-linux source, but I couldn't find a definitive answer to this.

Revision history for this message
Joshua Timberman (jtimberman) wrote :

I submitted this to Debian's bug tracker as well. I'll update this when I get a link.

Revision history for this message
Joshua Timberman (jtimberman) wrote :

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785270

Bug Watch Updater (bug-watch-updater)
Changed in util-linux (Debian):
status: Unknown → New
Revision history for this message
Joshua Timberman (jtimberman) wrote :

The Debian bug was closed because it's no longer relevant for Debian because 8.0 is now released.

- https://sources.debian.net/src/util-linux/2.25.2-6/debian/uuid-runtime.postinst/
- https://sources.debian.net/src/util-linux/2.25.2-6/debian/libuuid1.postinst/

I think that Ubuntu 14.04 should incorporate the /bin/false shell in the postinst scripts for uuid-runtime and libuuid1.

Bug Watch Updater (bug-watch-updater)
Changed in util-linux (Debian):
status: New → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

We got this version in Ubuntu 15.04. The libuuid user does not exist any more, it got renamed to uuidd. adduser creates system users without a shell on purpose, as an additional security measure. That's not something which we want to change.

Changed in util-linux (Ubuntu):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.