On Wed, May 26, 2010 at 02:22:43PM +0200, Michael Banck wrote: > Hi, > > On Wed, May 26, 2010 at 01:00:49PM +0100, Roger Leigh wrote: > > > This one time, at band camp, Steve Langasek said: > > > > pam_umask requires both username == primary group name and uid == gid > > > > before it will assume UPG are in place when using its 'usergroups' > > > > option, > > > > I'd be interested to understand the upstream POV here--with current > > Debian systems, assuming UID==GID without additionally checking > > that the names match is horribly insecure. > > See the text you quoted yourself, or am I missing something? The UID==GID scheme works initially, but any call to addgroup to add a group will get the two out of sync. Because historically we haven't enforced the two to be equal, on any system with >=1 groups added, the UID is guaranteed to not equal the GID. In consequence, the UID==GID check will fail with these historical passwd/group files, and that's not even counting databases coming from NIS or LDAP sources where it's not under our control. What, exactly, does comparing the UID and GID get you? I.e. what is is protecting you against? If you're using a system such as Debian, which has created a group by the same name for many years, you're in no danger of accidentally creating a group with the same name of a user, since it will already exist. Additionally, adding a new user will fail if the group already exists. Are there any other corner cases this prevents problems with? How will adduser cope with group addition; does it skip UIDs until it finds an unused unique UID/GID pair? Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail.
Description: Digital signature