Bug#1720: adduser: races, and chmod/chown - patch provided
Austin Donnelly writes ("Bug#1720: adduser: races, and chmod/chown - patch provided"):
> Package: adduser
> Version: 1.94-1
>
> Three different bugs fixed here:
>
> (1) There were a few race conditions in locking the password and
> group files. A badly timed ^C could result in the lockfile
> not being cleared.
>
> (2) chown()/chmod() persistantly used in the wrong order throughout.
> Could people please take note: chown()ing a file removes the
> setuid and setgid bits on it! It's no use chmod()ing a file to
> be setgid, then chown()ing it to someone else.
>
> (3) The copy_to_file() routine doesn't preserve permissions. This
> means that giving user's a default .xsession (which must be rwx)
> isn't possible. I've modified copy_to_file() to now copy the
> permissions with the file - but the files are chown()ed later, so
> the setuid/setgid bit will be lost. (This is probably the right
> thing to happen, in this instance).
>
>
> As always, patch included...
Please see also my bug reports, #1544 and #1500. #1544 contains a
patch that fixes all the problems I've encountered with adduser, and
which will probably overlap with Austin's.
I remember seeing a message on debian-* saying that we have a new
maintainer for adduser - would they please step forward so that we can
dump this lot on them ? :-)
If they don't I suppose I could make an interim release, which might
stop any more people submitting patches for overlapping subsets of
bugs.
Ian.
Reply to: