[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: The story behind UPG and umask.

On Wed, May 26, 2010 at 02:22:43PM +0200, Michael Banck wrote:
> Hi,
> On Wed, May 26, 2010 at 01:00:49PM +0100, Roger Leigh wrote:
> > > This one time, at band camp, Steve Langasek said:
> > > > pam_umask requires both username == primary group name and uid == gid
> > > > before it will assume UPG are in place when using its 'usergroups'
> > > > option, 
> > 
> > I'd be interested to understand the upstream POV here--with current
> > Debian systems, assuming UID==GID without additionally checking
> > that the names match is horribly insecure.
> See the text you quoted yourself, or am I missing something?

The UID==GID scheme works initially, but any call to addgroup
to add a group will get the two out of sync.  Because historically
we haven't enforced the two to be equal, on any system with >=1 groups
added, the UID is guaranteed to not equal the GID.  In consequence,
the UID==GID check will fail with these historical passwd/group files,
and that's not even counting databases coming from NIS or LDAP
sources where it's not under our control.

What, exactly, does comparing the UID and GID get you?  I.e. what
is is protecting you against?  If you're using a system such as
Debian, which has created a group by the same name for many years,
you're in no danger of accidentally creating a group with the same
name of a user, since it will already exist.  Additionally, adding
a new user will fail if the group already exists.  Are there any
other corner cases this prevents problems with?

How will adduser cope with group addition; does it skip UIDs until
it finds an unused unique UID/GID pair?


  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux             http://people.debian.org/~rleigh/
 `. `'   Printing on GNU/Linux?       http://gutenprint.sourceforge.net/
   `-    GPG Public Key: 0x25BFB848   Please GPG sign your mail.

Attachment: signature.asc
Description: Digital signature

Reply to: