[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1720: adduser: races, and chmod/chown - patch provided

Austin Donnelly writes ("Bug#1720: adduser: races, and chmod/chown - patch provided"):
> Package: adduser
> Version: 1.94-1
> Three different bugs fixed here:
>  (1) There were a few race conditions in locking the password and
>      group files.  A badly timed ^C could result in the lockfile
>      not being cleared.
>  (2) chown()/chmod() persistantly used in the wrong order throughout.
>      Could people please take note: chown()ing a file removes the
>      setuid and setgid bits on it!  It's no use chmod()ing a file to
>      be setgid, then chown()ing it to someone else.
>  (3) The copy_to_file() routine doesn't preserve permissions.  This
>      means that giving user's a default .xsession (which must be rwx)
>      isn't possible. I've modified copy_to_file() to now copy the
>      permissions with the file - but the files are chown()ed later, so
>      the setuid/setgid bit will be lost. (This is probably the right
>      thing to happen, in this instance).
> As always, patch included...

Please see also my bug reports, #1544 and #1500.  #1544 contains a
patch that fixes all the problems I've encountered with adduser, and
which will probably overlap with Austin's.

I remember seeing a message on debian-* saying that we have a new
maintainer for adduser - would they please step forward so that we can
dump this lot on them ? :-)

If they don't I suppose I could make an interim release, which might
stop any more people submitting patches for overlapping subsets of


Reply to: