touch-packages team mailing list archive

Thread
Date
[Bug 1348947] [NEW] useradd/groupadd existence check races

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: David Sheets <1348947@xxxxxxxxxxxxxxxxxx>
Date: Sat, 26 Jul 2014 15:55:47 -0000
Reply-to: Bug 1348947 <1348947@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Public bug reported:

useradd has a race between checking if a username is already in use and
updating the pw database:

getpwnam check <http://anonscm.debian.org/cgit/pkg-shadow/shadow.git/tree/src/useradd.c#n2085>
open_files lock on line 2127 of same

groupadd has a race between checking if a groupname is already in use
and updating the gr database:

getgrnam check <http://anonscm.debian.org/cgit/pkg-shadow/shadow.git/tree/src/groupadd.c#n483>
open_files lock on line 609 of same

This race is exhibited when multiple processes attempt to use the error
return code of useradd/groupadd to indicate whether they have
successfully created a unique user for themselves. If the race occurs,
the uid/gid of the database entry may change out from under the first
successful process as the second process finds an unused uid/gid and
then updates the database using the same key (but the new uid/gid).

I believe this bug exists since at least shadow 4.1.4.2 in both Ubuntu
and Debian distributions. I don't believe this bug is a security
vulnerability except in contexts where attackers may have control over
user/group creation by applications assuming that the database locks
ensure non-collision.

Obligatory:

1)# lsb_release -rd
Description:	Ubuntu 10.04 LTS
Release:	10.04

2)# apt-cache policy passwd
passwd:
  Installed: 1:4.1.4.2-1ubuntu2.2
  Candidate: 1:4.1.4.2-1ubuntu2.2
  Version table:
 *** 1:4.1.4.2-1ubuntu2.2 0
        500 http://www-uxsup.csx.cam.ac.uk/pub/linux/ubuntu/ lucid-updates/main Packages
        500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
        100 /var/lib/dpkg/status
     1:4.1.4.2-1ubuntu2 0
        500 http://www-uxsup.csx.cam.ac.uk/pub/linux/ubuntu/ lucid/main Packages

3) groupadd/useradd should either consistently let the operator
overwrite existing groups/users or should consistently produce a name
collision error

4) groupadd/useradd sometimes exit due to name collisions and sometimes
overwrite existing groups/users

** Affects: shadow
     Importance: Undecided
         Status: New

** Affects: shadow (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: shadow (Debian)
     Importance: Undecided
         Status: New

** Also affects: shadow
   Importance: Undecided
       Status: New

** Also affects: shadow (Debian)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to shadow in Ubuntu.
https://bugs.launchpad.net/bugs/1348947

Title:
  useradd/groupadd existence check races

Status in The Shadow Password File Utilities:
  New
Status in “shadow” package in Ubuntu:
  New
Status in “shadow” package in Debian:
  New

Bug description:
  useradd has a race between checking if a username is already in use
  and updating the pw database:

  getpwnam check <http://anonscm.debian.org/cgit/pkg-shadow/shadow.git/tree/src/useradd.c#n2085>
  open_files lock on line 2127 of same

  groupadd has a race between checking if a groupname is already in use
  and updating the gr database:

  getgrnam check <http://anonscm.debian.org/cgit/pkg-shadow/shadow.git/tree/src/groupadd.c#n483>
  open_files lock on line 609 of same

  This race is exhibited when multiple processes attempt to use the
  error return code of useradd/groupadd to indicate whether they have
  successfully created a unique user for themselves. If the race occurs,
  the uid/gid of the database entry may change out from under the first
  successful process as the second process finds an unused uid/gid and
  then updates the database using the same key (but the new uid/gid).

  I believe this bug exists since at least shadow 4.1.4.2 in both Ubuntu
  and Debian distributions. I don't believe this bug is a security
  vulnerability except in contexts where attackers may have control over
  user/group creation by applications assuming that the database locks
  ensure non-collision.

  Obligatory:

  1)# lsb_release -rd
  Description:	Ubuntu 10.04 LTS
  Release:	10.04

  2)# apt-cache policy passwd
  passwd:
    Installed: 1:4.1.4.2-1ubuntu2.2
    Candidate: 1:4.1.4.2-1ubuntu2.2
    Version table:
   *** 1:4.1.4.2-1ubuntu2.2 0
          500 http://www-uxsup.csx.cam.ac.uk/pub/linux/ubuntu/ lucid-updates/main Packages
          500 http://security.ubuntu.com/ubuntu/ lucid-security/main Packages
          100 /var/lib/dpkg/status
       1:4.1.4.2-1ubuntu2 0
          500 http://www-uxsup.csx.cam.ac.uk/pub/linux/ubuntu/ lucid/main Packages

  3) groupadd/useradd should either consistently let the operator
  overwrite existing groups/users or should consistently produce a name
  collision error

  4) groupadd/useradd sometimes exit due to name collisions and
  sometimes overwrite existing groups/users

To manage notifications about this bug go to:
https://bugs.launchpad.net/shadow/+bug/1348947/+subscriptions
Follow ups

[Bug 1348947] [NEW] useradd/groupadd existence check races
From: David Sheets, 2014-07-26
References

[Bug 1348947] [NEW] useradd/groupadd existence check races
From: David Sheets, 2014-07-26