Control: severity -1 normal
Control: outlook -1 write test case, then apply patch
thanks
Readjusting priority since this is kind of a corner case. I am not even
convinced that having multiple user names with the same uid is a
supported or recommended configuration.
For the patch to be applied, we'd need to have a test case first.
Greetings
Marc
On Thu, Feb 21, 2013 at 06:49:33PM +0100, Daniel Heimann wrote:
> From: Daniel Heimann <debian-bugrep...@lancrew.de>
> Subject: Bug#701110: adduser removes cloned-uid usernames, during gpasswd
> -M ... (get_group_members() bug)
> To: Debian Bug Tracking System <sub...@bugs.debian.org>
> Reply-To: Daniel Heimann <debian-bugrep...@lancrew.de>,
> 701...@bugs.debian.org
> Date: Thu, 21 Feb 2013 18:49:33 +0100
> X-Mailer: reportbug 4.12.6
>
> Package: adduser
> Version: 3.112+nmu2
> Severity: important
> Tags: patch
>
> if adduser needs to call gpasswd -M (e.g. when adding the new user to groups,
> because of EXTRA_GROUPS in adduser.conf) it uses get_group_members() to first
> retrieve other users that have been added to the group before. It then adds
> the new user to the list and calls gpasswd with all users alltogether.
>
> When uid-cloned systemusers (two usernames, same userid) are members of such
> a group, all but the first (as listed in passwd) get removed, due to adduser's
> wrong call to gpasswd. The reason is get_group_members() returns wrong
> @members, because getpwuid(getpwnam($_)) eq $_ does not match for cloned
> uid's.
> Instead the first matching username (as listed in passwd) is returned by
> getpwuid which is not $_ in this case, so the uid-cloned users do not get
> pushed to @members.
>
> get_group_members() (contained in /usr/share/perl5/Debian/AdduserCommon.pm)
> is defined as
>
> sub get_group_members
> {
> my $group = shift;
> my @members;
> foreach (split(/ /, (getgrnam($group))[3])) {
> if (getpwuid(getpwnam($_)) eq $_ ) {
> push @members, $_;
> }
> }
> return @members;
> }
>
> While searching for the reason why this is broken in Squeeze and Wheezy, but
> not Etch, I found
> http://anonscm.debian.org/viewvc/adduser/trunk/AdduserCommon.pm?r1=646&r2=732
>
> It seems the getpwuid(getpwnam($_)) part was made, to prevent root from being
> removed
> from groups (because UID 0 "failed" the if), which is nice. In order to have
> this still
> fixed (allow root to be and stay part of groups), not break cloned-uids
> usernames and
> still validate that processed users actually exist I'd propose the use of
> defined, like:
>
> sub get_group_members
> {
> my $group = shift;
> my @members;
> foreach (split(/ /, (getgrnam($group))[3])) {
> if (defined getpwnam($_)) {
> push @members, $_;
> }
> }
> return @members;
> }
>
> Works for me (in all described cases).
>
>
> -- System Information:
> Debian Release: 6.0.6
> APT prefers stable
> APT policy: (500, 'stable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)
> Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15) (ignored:
> LC_ALL set to de_DE@euro)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages adduser depends on:
> ii debconf [de 1.5.36.1 Debian configuration management
> sy
> ii passwd 1:4.1.4.2+svn3283-2+squeeze1 change and administer password
> and
> ii perl-base 5.10.1-17squeeze4 minimal Perl system
>
> adduser recommends no packages.
>
> Versions of packages adduser suggests:
> ii liblocale-gettext-perl 1.05-6 Using libc functions for
> internati
> ii perl-modules 5.10.1-17squeeze4 Core Perl modules
>
> -- debconf information excluded
