Bug#295680: marked as done (libc6: getgrname returns a result that doesn't belong to /etc/group)
Your message dated Tue, 28 Jun 2005 19:37:56 +0300
with message-id <1119976676.8584.54.camel@esme.liw.iki.fi>
and subject line Bug#295680: libc6: getgrname returns a result that doesn't belong to /etc/group
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 17 Feb 2005 12:37:57 +0000
>From vincent@vinc17.org Thu Feb 17 04:37:57 2005
Return-path: <vincent@vinc17.org>
Received: from dixsept.loria.fr [152.81.9.195]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1D1kuq-0001cf-00; Thu, 17 Feb 2005 04:37:57 -0800
Received: from vlefevre by dixsept.loria.fr with local (Exim 4.44)
id 1D1kuL-0005ox-Fc; Thu, 17 Feb 2005 13:37:25 +0100
Date: Thu, 17 Feb 2005 13:37:25 +0100
From: Vincent Lefevre <vincent@vinc17.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libc6: getgrname returns a result that doesn't belong to /etc/group
Message-ID: <20050217123725.GA22298@dixsept.loria.fr>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.8
X-Mailer-Info: http://www.vinc17.org/mutt/
User-Agent: Mutt/1.5.7-vl-20050209i
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: libc6
Version: 2.3.2.ds1-20
Severity: important
The getgrname(3) man page says:
The getgrnam() function returns a pointer to a structure containing the
group information from /etc/group for the entry that matches the group
name name.
But here, the getgrname function returns a result that doesn't belong
to /etc/group, which seems to lead by side effects to a security hole
(more details below).
Consider the following program:
#include <stdio.h>
#include <stdlib.h>
#include <grp.h>
int main (int argc, char **argv)
{
struct group *grp;
if (argc != 2)
{
fprintf (stderr, "Usage: grname <group_name>\n");
exit (1);
}
grp = getgrnam (argv[1]);
if (grp == NULL)
{
fprintf (stderr, "grname: can't find group %s\n", argv[1]);
exit (2);
}
printf ("%d (%s)\n", grp->gr_gid, grp->gr_name);
return 0;
}
It gives here, where slocate is group 21 in NIS:
$ ./grname slocate
21 (slocate)
$ grep slocate /etc/group
zsh: exit 1 grep slocate /etc/group
$ grep 21 /etc/group
fax:x:21:
As a consequence:
# touch blah
# chown root.slocate blah
# ls -l blah
-rw-r--r-- 1 root fax 0 2005-02-17 13:30:13 blah
^^^
This could also explain why groupadd (to add a group to /etc/group)
fails if a group with the same name exists via NIS.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.10
Locale: LANG=POSIX, LC_CTYPE=en_US.ISO8859-1 (charmap=ISO-8859-1)
Versions of packages libc6 depends on:
ii libdb1-compat 2.1.3-7 The Berkeley database routines [gl
-- no debconf information
---------------------------------------
Received: (at 295680-done) by bugs.debian.org; 28 Jun 2005 16:38:22 +0000
>From liw@iki.fi Tue Jun 28 09:38:21 2005
Return-path: <liw@iki.fi>
Received: from ip212-226-168-228.adsl.kpnqwest.fi (esme.liw.iki.fi) [212.226.168.228]
by spohr.debian.org with esmtp (Exim 3.35 1 (Debian))
id 1DnJ6L-0005C1-00; Tue, 28 Jun 2005 09:38:21 -0700
Received: by esme.liw.iki.fi (Postfix, from userid 1000)
id B92CCF416A; Tue, 28 Jun 2005 19:37:56 +0300 (EEST)
Subject: Re: Bug#295680: libc6: getgrname returns a result that doesn't
belong to /etc/group
From: Lars Wirzenius <liw@iki.fi>
To: 295680-done@bugs.debian.org
Cc: GOMBAS Gabor <gombasg@sztaki.hu>, Vincent Lefevre <vincent@vinc17.org>
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Date: Tue, 28 Jun 2005 19:37:56 +0300
Message-Id: <1119976676.8584.54.camel@esme.liw.iki.fi>
Mime-Version: 1.0
X-Mailer: Evolution 2.2.2
Delivered-To: 295680-done@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
The discussion on this bug has slowed again. I think the following is a
fair summary:
* getgrnam(3) is wrong to say that only /etc/group is used. I've filed a
bug against it (#316102).
* There is no actual bug in glibc here, so the bug report needs to be
closed or reassigned.
* It is unfortunate that Debian (or other systems) requires work to be
integrated into an existing NIS setup, but there's not all that much we
can do about it.
Therefore, I think it is justified to close the bug. Vincent, or anyone,
if you disagree, you can reopen it (if you know how to use the control
address) or you can mail me, and I'll re-open it, and this can then be
discussed further.
Reply to: