useradd --extrausers --groups tries to lock /etc/group
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
shadow (Ubuntu) | Status tracked in Oracular | |||||
Jammy |
Invalid
|
Undecided
|
Unassigned | |||
Mantic |
Won't Fix
|
Undecided
|
Unassigned | |||
Noble |
Fix Committed
|
High
|
Simon Chopin | |||
Oracular |
Fix Released
|
Undecided
|
Simon Chopin |
Bug Description
[ Impact ]
On Ubuntu Core 24 calling the command line
useradd --extrausers --groups somegroup somenewuser
... fails with:
useradd: cannot lock /etc/group; try again later.
It worked on 22.04. /etc is not writable. It also fails if somegroup is a group in extrausers.
[ Test Plan ]
Part of the upload is adding an autopkgtest script testing useradd and usermod in the extrausers+
In addition, the following commands should be run as root in a fresh container:
```
# Install prerequisites
apt install libnss-extrausers
sed -i -r '/^(passwd|
# Sanity checks of "normal" path
groupadd etcgroup
useradd --groups etcgroup etcuser
id etcuser | grep etcgroup
groupadd etcgroup2
usermod --groups etcgroup2 etcuser
id etcuser | grep etcgroup2
useradd --groups nullgroup etcuser || echo Successfully rejected invalid group
ls /var/lib/
# Sanity checks of "extrausers" path in rw context
groupadd --extrausers extragroup
useradd --extrausers --groups extragroup extrauser # currently fails
id extrauser | grep extragroup
useradd --extrausers extrauser2
id extrauser2
# Sanity checks of "extrausers" path in ro context
mv /etc /etc-rw
mkdir /etc
mount -o bind,ro /etc-rw /etc
groupadd --extrausers extragroup2
useradd --extrausers --groups etcgroup extrauser3
id extrauser4 | grep etcgroup
```
Furthermore, validation from the Ubuntu Core team that this actually fixes
their use case is required.
[ Where problems could occur ]
Regression potential is in the group validation stage of the `usermod` and
`useradd` tools. Besides the usual risks related to C code, the various failure
scenarios that come to mind are:
* try to add the user to an non-existing local group, which would fail further
down with a different error message
* actually fail to identify a valid local group
* Fail to either add the user to the system, or the user to the group
* Update the wrong file (/var/lib/
Changed in shadow (Ubuntu): | |
assignee: | nobody → Simon Chopin (schopin) |
tags: | added: foundations-todo |
Changed in shadow (Ubuntu Mantic): | |
status: | New → Won't Fix |
Changed in shadow (Ubuntu Jammy): | |
status: | New → Invalid |
Changed in shadow (Ubuntu Oracular): | |
status: | New → Fix Committed |
Changed in shadow (Ubuntu Noble): | |
importance: | Undecided → High |
status: | New → In Progress |
assignee: | nobody → Simon Chopin (schopin) |
description: | updated |
tags: |
added: verification-failed verification-failed-noble removed: verification-needed verification-needed-noble |
tags: | added: regression-proposed |
description: | updated |
description: | updated |
Quick repro steps:
❯ lxc launch ubuntu-daily:noble shadow
Creating shadow
Starting shadow
❯ lxc exec shadow bash
root@shadow:~# mv /etc /etc_write
root@shadow:~# mkdir /etc
root@shadow:~# mount -o bind,ro /etc_write /etc
root@shadow:~# useradd --extrausers --groups somegroup somenewuser
useradd: cannot lock /etc/group; try again later.