2024-04-23 10:21:03 |
Valentin David |
bug |
|
|
added bug |
2024-04-23 10:41:03 |
Simon Chopin |
shadow (Ubuntu): assignee |
|
Simon Chopin (schopin) |
|
2024-04-23 14:10:25 |
Simon Chopin |
tags |
|
foundations-todo |
|
2024-05-22 11:28:42 |
Simon Chopin |
nominated for series |
|
Ubuntu Noble |
|
2024-05-22 11:28:42 |
Simon Chopin |
bug task added |
|
shadow (Ubuntu Noble) |
|
2024-05-22 11:28:42 |
Simon Chopin |
nominated for series |
|
Ubuntu Oracular |
|
2024-05-22 11:28:42 |
Simon Chopin |
bug task added |
|
shadow (Ubuntu Oracular) |
|
2024-05-22 11:29:05 |
Simon Chopin |
nominated for series |
|
Ubuntu Jammy |
|
2024-05-22 11:29:05 |
Simon Chopin |
bug task added |
|
shadow (Ubuntu Jammy) |
|
2024-05-22 11:29:05 |
Simon Chopin |
nominated for series |
|
Ubuntu Mantic |
|
2024-05-22 11:29:05 |
Simon Chopin |
bug task added |
|
shadow (Ubuntu Mantic) |
|
2024-05-22 11:29:12 |
Simon Chopin |
shadow (Ubuntu Mantic): status |
New |
Won't Fix |
|
2024-05-22 11:29:49 |
Simon Chopin |
shadow (Ubuntu Jammy): status |
New |
Invalid |
|
2024-05-22 11:29:54 |
Simon Chopin |
shadow (Ubuntu Oracular): status |
New |
Fix Committed |
|
2024-05-22 12:03:50 |
Simon Chopin |
shadow (Ubuntu Noble): importance |
Undecided |
High |
|
2024-05-22 12:03:56 |
Simon Chopin |
shadow (Ubuntu Noble): status |
New |
In Progress |
|
2024-05-22 12:04:00 |
Simon Chopin |
shadow (Ubuntu Noble): assignee |
|
Simon Chopin (schopin) |
|
2024-05-22 15:04:31 |
Simon Chopin |
description |
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup is a group in extrausers. |
[ Impact ]
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup is a group in extrausers.
[ Test Plan ]
Part of the upload is adding an autopkgtest script testing useradd and usermod in the extrausers+readonly-etc case.
In addition, the following commands should be run as root in a fresh container:
```
# Install prerequisites
apt install libnss-extrausers
vim /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow
# Sanity checks of "normal" path
groupadd etcgroup
useradd --groups etcgroup etcuser
id etcuser | grep etcgroup
groupadd etcgroup2
usermod --groups etcgroup2 etcuser
id etcuser | grep etcgroup2
useradd --groups nullgroup etcuser || echo Successfully rejected invalid group
ls /var/lib/extrausers/ # should be empty
# Sanity checks of "extrausers" path in rw context
groupadd --extrausers extragroup
useradd --extrausers --groups extragroup extrauser # currently fails
id extrauser | grep extragroup
useradd --extrausers extrauser2
id extrauser2
usermod --extrausers --groups extragroup extrauser2
id extrauser2 | grep extragroup
# Sanity checks of "extrausers" path in ro context
mv /etc /etc-rw
mkdir /etc
mount -o bind,ro /etc-rw /etc
groupadd --extrausers extragroup2
useradd --extrausers --groups etcgroup extrauser3
id extrauser4 | grep etcgroup
usermod --extrausers --groups extragroup2 extrauser3
id extrauser4 | grep extragroup2
```
Furthermore, validation from the Ubuntu Core team that this actually fixes
their use case is required.
[ Where problems could occur ]
Regression potential is in the group validation stage of the `usermod` and
`useradd` tools. Besides the usual risks related to C code, the various failure
scenarios that come to mind are:
* try to add the user to an non-existing local group, which would fail further
down with a different error message
* actually fail to identify a valid local group
* Fail to either add the user to the system, or the user to the group
* Update the wrong file (/var/lib/extrausers/* vs /etc/*) |
|
2024-05-24 21:52:00 |
Steve Langasek |
description |
[ Impact ]
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup is a group in extrausers.
[ Test Plan ]
Part of the upload is adding an autopkgtest script testing useradd and usermod in the extrausers+readonly-etc case.
In addition, the following commands should be run as root in a fresh container:
```
# Install prerequisites
apt install libnss-extrausers
vim /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow
# Sanity checks of "normal" path
groupadd etcgroup
useradd --groups etcgroup etcuser
id etcuser | grep etcgroup
groupadd etcgroup2
usermod --groups etcgroup2 etcuser
id etcuser | grep etcgroup2
useradd --groups nullgroup etcuser || echo Successfully rejected invalid group
ls /var/lib/extrausers/ # should be empty
# Sanity checks of "extrausers" path in rw context
groupadd --extrausers extragroup
useradd --extrausers --groups extragroup extrauser # currently fails
id extrauser | grep extragroup
useradd --extrausers extrauser2
id extrauser2
usermod --extrausers --groups extragroup extrauser2
id extrauser2 | grep extragroup
# Sanity checks of "extrausers" path in ro context
mv /etc /etc-rw
mkdir /etc
mount -o bind,ro /etc-rw /etc
groupadd --extrausers extragroup2
useradd --extrausers --groups etcgroup extrauser3
id extrauser4 | grep etcgroup
usermod --extrausers --groups extragroup2 extrauser3
id extrauser4 | grep extragroup2
```
Furthermore, validation from the Ubuntu Core team that this actually fixes
their use case is required.
[ Where problems could occur ]
Regression potential is in the group validation stage of the `usermod` and
`useradd` tools. Besides the usual risks related to C code, the various failure
scenarios that come to mind are:
* try to add the user to an non-existing local group, which would fail further
down with a different error message
* actually fail to identify a valid local group
* Fail to either add the user to the system, or the user to the group
* Update the wrong file (/var/lib/extrausers/* vs /etc/*) |
[ Impact ]
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup is a group in extrausers.
[ Test Plan ]
Part of the upload is adding an autopkgtest script testing useradd and usermod in the extrausers+readonly-etc case.
In addition, the following commands should be run as root in a fresh container:
```
# Install prerequisites
apt install libnss-extrausers
sed -i -r -e'/^(passwd|group|shadow|gshadow)/ s/$/ extrausers/' /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow
# Sanity checks of "normal" path
groupadd etcgroup
useradd --groups etcgroup etcuser
id etcuser | grep etcgroup
groupadd etcgroup2
usermod --groups etcgroup2 etcuser
id etcuser | grep etcgroup2
useradd --groups nullgroup etcuser || echo Successfully rejected invalid group
ls /var/lib/extrausers/ # should be empty
# Sanity checks of "extrausers" path in rw context
groupadd --extrausers extragroup
useradd --extrausers --groups extragroup extrauser # currently fails
id extrauser | grep extragroup
useradd --extrausers extrauser2
id extrauser2
usermod --extrausers --groups extragroup extrauser2
id extrauser2 | grep extragroup
# Sanity checks of "extrausers" path in ro context
mv /etc /etc-rw
mkdir /etc
mount -o bind,ro /etc-rw /etc
groupadd --extrausers extragroup2
useradd --extrausers --groups etcgroup extrauser3
id extrauser4 | grep etcgroup
usermod --extrausers --groups extragroup2 extrauser3
id extrauser4 | grep extragroup2
```
Furthermore, validation from the Ubuntu Core team that this actually fixes
their use case is required.
[ Where problems could occur ]
Regression potential is in the group validation stage of the `usermod` and
`useradd` tools. Besides the usual risks related to C code, the various failure
scenarios that come to mind are:
* try to add the user to an non-existing local group, which would fail further
down with a different error message
* actually fail to identify a valid local group
* Fail to either add the user to the system, or the user to the group
* Update the wrong file (/var/lib/extrausers/* vs /etc/*) |
|
2024-05-24 21:52:26 |
Steve Langasek |
shadow (Ubuntu Noble): status |
In Progress |
Fix Committed |
|
2024-05-24 21:52:28 |
Steve Langasek |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2024-05-24 21:52:30 |
Steve Langasek |
bug |
|
|
added subscriber SRU Verification |
2024-05-24 21:52:35 |
Steve Langasek |
tags |
foundations-todo |
foundations-todo verification-needed verification-needed-noble |
|
2024-05-27 09:13:34 |
Martin Pitt |
tags |
foundations-todo verification-needed verification-needed-noble |
foundations-todo verification-failed verification-failed-noble |
|
2024-05-27 09:13:40 |
Martin Pitt |
tags |
foundations-todo verification-failed verification-failed-noble |
foundations-todo regression-proposed verification-failed verification-failed-noble |
|
2024-05-27 15:44:26 |
Simon Chopin |
description |
[ Impact ]
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup is a group in extrausers.
[ Test Plan ]
Part of the upload is adding an autopkgtest script testing useradd and usermod in the extrausers+readonly-etc case.
In addition, the following commands should be run as root in a fresh container:
```
# Install prerequisites
apt install libnss-extrausers
sed -i -r -e'/^(passwd|group|shadow|gshadow)/ s/$/ extrausers/' /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow
# Sanity checks of "normal" path
groupadd etcgroup
useradd --groups etcgroup etcuser
id etcuser | grep etcgroup
groupadd etcgroup2
usermod --groups etcgroup2 etcuser
id etcuser | grep etcgroup2
useradd --groups nullgroup etcuser || echo Successfully rejected invalid group
ls /var/lib/extrausers/ # should be empty
# Sanity checks of "extrausers" path in rw context
groupadd --extrausers extragroup
useradd --extrausers --groups extragroup extrauser # currently fails
id extrauser | grep extragroup
useradd --extrausers extrauser2
id extrauser2
usermod --extrausers --groups extragroup extrauser2
id extrauser2 | grep extragroup
# Sanity checks of "extrausers" path in ro context
mv /etc /etc-rw
mkdir /etc
mount -o bind,ro /etc-rw /etc
groupadd --extrausers extragroup2
useradd --extrausers --groups etcgroup extrauser3
id extrauser4 | grep etcgroup
usermod --extrausers --groups extragroup2 extrauser3
id extrauser4 | grep extragroup2
```
Furthermore, validation from the Ubuntu Core team that this actually fixes
their use case is required.
[ Where problems could occur ]
Regression potential is in the group validation stage of the `usermod` and
`useradd` tools. Besides the usual risks related to C code, the various failure
scenarios that come to mind are:
* try to add the user to an non-existing local group, which would fail further
down with a different error message
* actually fail to identify a valid local group
* Fail to either add the user to the system, or the user to the group
* Update the wrong file (/var/lib/extrausers/* vs /etc/*) |
[ Impact ]
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup is a group in extrausers.
[ Test Plan ]
Part of the upload is adding an autopkgtest script testing useradd and usermod in the extrausers+readonly-etc case.
In addition, the following commands should be run as root in a fresh container:
```
# Install prerequisites
apt install libnss-extrausers
sed -i -r -e'/^(passwd|group|shadow|gshadow)/ s/$/ extrausers/' /etc/nsswitch.conf # enable extrausers in group, passwd, shadow and gshadow
# Sanity checks of "normal" path
groupadd etcgroup
useradd --groups etcgroup etcuser
id etcuser | grep etcgroup
groupadd etcgroup2
usermod --groups etcgroup2 etcuser
id etcuser | grep etcgroup2
useradd --groups nullgroup etcuser || echo Successfully rejected invalid group
ls /var/lib/extrausers/ # should be empty
# Sanity checks of "extrausers" path in rw context
groupadd --extrausers extragroup
useradd --extrausers --groups extragroup extrauser # currently fails
id extrauser | grep extragroup
useradd --extrausers extrauser2
id extrauser2
usermod --groups extragroup extrauser2
id extrauser2 | grep extragroup
# Sanity checks of "extrausers" path in ro context
mv /etc /etc-rw
mkdir /etc
mount -o bind,ro /etc-rw /etc
groupadd --extrausers extragroup2
useradd --extrausers --groups etcgroup extrauser3
id extrauser4 | grep etcgroup
usermod --groups extragroup2 extrauser3
id extrauser4 | grep extragroup2
```
Furthermore, validation from the Ubuntu Core team that this actually fixes
their use case is required.
[ Where problems could occur ]
Regression potential is in the group validation stage of the `usermod` and
`useradd` tools. Besides the usual risks related to C code, the various failure
scenarios that come to mind are:
* try to add the user to an non-existing local group, which would fail further
down with a different error message
* actually fail to identify a valid local group
* Fail to either add the user to the system, or the user to the group
* Update the wrong file (/var/lib/extrausers/* vs /etc/*) |
|
2024-05-27 17:16:51 |
Simon Chopin |
shadow (Ubuntu Noble): status |
Fix Committed |
In Progress |
|
2024-05-28 02:31:48 |
Martin Pitt |
bug |
|
|
added subscriber Martin Pitt |
2024-05-29 15:38:09 |
Launchpad Janitor |
shadow (Ubuntu Oracular): status |
Fix Committed |
Fix Released |
|
2024-06-14 13:34:15 |
Timo Aaltonen |
shadow (Ubuntu Noble): status |
In Progress |
Fix Committed |
|
2024-06-14 13:34:18 |
Timo Aaltonen |
tags |
foundations-todo regression-proposed verification-failed verification-failed-noble |
foundations-todo regression-proposed verification-needed verification-needed-noble |
|