Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
At Thu, 17 Feb 2005 13:37:25 +0100,
Vincent Lefevre wrote:
> The getgrname(3) man page says:
>
> The getgrnam() function returns a pointer to a structure containing the
> group information from /etc/group for the entry that matches the group
> name name.
>
> But here, the getgrname function returns a result that doesn't belong
> to /etc/group, which seems to lead by side effects to a security hole
> (more details below).
Does this manpage say correctly? i.e. Is getgrnam tightly coupled
with /etc/group?
> It gives here, where slocate is group 21 in NIS:
>
> $ ./grname slocate
> 21 (slocate)
> $ grep slocate /etc/group
> zsh: exit 1 grep slocate /etc/group
> $ grep 21 /etc/group
> fax:x:21:
>
> As a consequence:
>
> # touch blah
> # chown root.slocate blah
> # ls -l blah
> -rw-r--r-- 1 root fax 0 2005-02-17 13:30:13 blah
> ^^^
>
> This could also explain why groupadd (to add a group to /etc/group)
> fails if a group with the same name exists via NIS.
I guess you specify in /etc/nsswitch.conf that nis is prior than
files for group lookup.
Regards,
-- gotom
Reply to: