Stephen Gran
2007-Jan-17 13:06 UTC
Bug#407231: passwd: users may gain system group access on package installation by coincidence
reassign adduser thanks This one time, at band camp, Leonard Norrgård said:> An ordinary user may end up with group ownership of system files > in the following scenario [2]: > > 1. A user is added, and receives the user and group ids, <name>. > 2. Later, a package is installed that asks for an identically named > system group to be created, using ''addgroup --system <name>''. > 3. Addgroup returns with a success exit status, showing the message > ''The group `<name>'' already exists as a system group. Exiting.", > even though the pre-existing <name> group, as a group added for > a user has a non-system id (ie. outside the range 100-999 [1].Aha. I have checked in a fix for this. We will upload shortly.> 4. The user <name> now has access to all system files that are > installed for the <name> group. > > The problem occurs because in /usr/sbin/addgroup, the code on/after > line 247 to existing_group_ok fails to check for and handle > the situation where the existing GID is outside of the system GID > boundaries.The addgroup script comes from the adduser package. Reassigning. Thanks, -- ----------------------------------------------------------------- | ,''''`. Stephen Gran | | : :'' : sgran@debian.org | | `. `'' Debian user, admin, and developer | | `- http://www.debian.org | ----------------------------------------------------------------- _______________________________________________ Adduser-devel mailing list Adduser-devel@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/adduser-devel