Package: opensysusers Version: 0.6-2 Severity: serious Tags: security upstream X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
opensysusers uses the shell's `eval` on everything in sysusers.d like there is no tomorrow. These files can contain shell meta-characters that should not result in code execution, e.g., in the GECOS field. +--- | # mkdir /etc/sysusers.d | # echo 'u test-user - "Do not $(rm /etc/bash.bashrc)" /var/lib/test-users /bin/sh' > /etc/sysusers.d/test.conf | # ls -l /etc/bash.bashrc | -rw-r--r-- 1 root root 1994 Jun 22 02:26 /etc/bash.bashrc | # systemd-sysusers # this is opensysusers | # ls -l /etc/bash* | ls: cannot access '/etc/bash*': No such file or directory +---[ opensysusers 0.6-2 ] systemd's systemd-sysuser behaves differently: +--- | # mkdir /etc/sysusers.d | # echo 'u test-user - "Do not $(rm /etc/bash.bashrc)" /var/lib/test-users /bin/sh' > /etc/sysusers.d/test.conf | # ls -l /etc/bash.bashrc | -rw-r--r-- 1 root root 1994 Jun 22 02:26 /etc/bash.bashrc | # systemd-sysusers | Creating group systemd-coredump with gid 999. | Creating user systemd-coredump (systemd Core Dumper) with uid 999 and gid 999. | Creating group test-user with gid 998. | Creating user test-user (Do not $(rm /etc/bash.bashrc)) with uid 998 and gid 998. | # ls -l /etc/bash.bashrc | -rw-r--r-- 1 root root 1994 Jun 22 02:26 /etc/bash.bashrc | # getent passwd test-user | test-user:x:998:998:Do not $(rm /etc/bash.bashrc):/var/lib/test-users:/bin/sh +---[ systemd 247.3-6 ] As opensysusers is supposed to be a drop-in requirement for systemd-sysusers it *must* behave as systemd does and not execute data. Ansgar
