Ubuntu
util-linux package

libuuid: use /usr/sbin/nologin instead of /bin/sh for libuuid user

Trusty (14.04)
Bug #1319973

Bug #1319973 reported by Alec Warner on 2014-05-15

264

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
util-linux (Debian)	Fix Released	Unknown	debbugs #734544
util-linux (Ubuntu)	Fix Released	High	Marc Deslauriers
Trusty	Triaged	High	Marc Deslauriers	Ubuntu trusty-updates
Utopic	Won't Fix	High	Unassigned

Bug Description

antarus@killbot:~$ getent passwd libuuid
libuuid:x:100:101::/var/lib/libuuid:

A missing shell specification means it takes the default shell (usually /bin/sh).

DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu Trusty Tahr (development branch)"
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04

antarus@killbot:/tmp$ apt-cache policy libuuid1
libuuid1:
Installed: 2.20.1-5.1ubuntu20
Candidate: 2.20.1-5.1ubuntu20

It should have /usr/sbin/nologin as its shell.

-A

Tags:

Marc Deslauriers (mdeslaur) on 2014-05-15

Changed in util-linux (Ubuntu Trusty):
status:	New → Confirmed
Changed in util-linux (Ubuntu Utopic):
status:	New → Confirmed
assignee:	nobody → Marc Deslauriers (mdeslaur)
information type:	Public → Public Security

Bug Watch Updater (bug-watch-updater) on 2014-05-16

Changed in util-linux (Debian):
status:	Unknown → New

Brian Murray (brian-murray) on 2014-05-19

Changed in util-linux (Ubuntu Trusty):
milestone:	none → trusty-updates

Bug Watch Updater (bug-watch-updater) on 2014-07-31

Changed in util-linux (Debian):
status:	New → Fix Released

Revision history for this message

Mark Stosberg (markstos) wrote on 2015-02-02:

This remains a potential security issue with Ubuntu 14.04.

It appears that the util-linux (2.25-5) should set the login shell as "nologin". It seems here we need an update which finds the shells already set as /bin/sh and resets them to "nlogin"

Revision history for this message

Mark Stosberg (markstos) wrote on 2015-02-02:

That should nave been "nologin".

Revision history for this message

Martin Pitt (pitti) wrote on 2015-02-11:

The vivid package (uuid-runtime.postinst) does that, this got merged several months ago.

Changed in util-linux (Ubuntu):
status:	Confirmed → Fix Released

Mathew Hodson (mhodson) on 2015-08-21

Changed in util-linux (Ubuntu Utopic):
status:	Confirmed → Won't Fix
tags:	added: trusty
Changed in util-linux (Ubuntu Trusty):
importance:	Undecided → High
Changed in util-linux (Ubuntu Utopic):
importance:	Undecided → High
Changed in util-linux (Ubuntu):
importance:	Undecided → High
Changed in util-linux (Ubuntu Trusty):
status:	Confirmed → Triaged

Mathew Hodson (mhodson) on 2015-08-21

Changed in util-linux (Ubuntu Utopic):
assignee:	Marc Deslauriers (mdeslaur) → nobody
Changed in util-linux (Ubuntu Trusty):
assignee:	nobody → Marc Deslauriers (mdeslaur)

Mathew Hodson (mhodson) on 2015-09-16

summary:

- libuuid needs a default shell (seems to not specify any?)
+ libuuid: use /usr/sbin/nologin instead of /bin/sh for libuuid user

Revision history for this message

Da Xue (da-t) wrote on 2015-11-19:

Any time estimates of when this will be addressed on14.04 LTS?

Revision history for this message

Seth Arnold (seth-arnold) wrote on 2015-11-23:

I think the libuuid postinst hack to fix this introduced regressions:

https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1491055
https://bugs.launchpad.net/ubuntu/+source/util-linux/+bug/1518151

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

debbugs #734544
[done important security] Edit

Bug watches keep track of this bug in other bug trackers.

Ubuntuutil-linux package

libuuid: use /usr/sbin/nologin instead of /bin/sh for libuuid user

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
util-linux package