From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.2) Gecko/20040803 Description of problem: Thereis a bug in the useradd command if you use the hightest possible userid 2^32-1 which is 4294967295 Lets create a user with this userid and give him the name omega: [root@jupiter root]# useradd -u `echo "2^32-1"|bc` omega [root@jupiter root]# grep /omega /etc/passwd omega:x:4294967295:4294967295::/home/omega:/bin/bash All perfect, but if we look at the homedirectory of the user omega: [root@jupiter root]# ls -ld /home/omega drwx------ 3 root root 4096 24. Sep 13:13 omega [root@jupiter root]# ls -ldn /home/ drwx------ 3 0 0 4096 24. Sep 13:13 omega The homedirectory was created with owner root and group root Lets create a new user which we call "beforomega" because he has an userid which is omega's userid minus one which is "2^32-2": [root@jupiter root]# useradd -u `echo "2^32-2"|bc` beforomega [root@jupiter root]# ls -ln /home/ drwx------ 3 4294967294 4294967294 4096 24. Sep 13:17 beforomega drwx------ 2 0 0 16384 7. Jun 00:28 lost+found drwx------ 3 0 0 4096 24. Sep 13:13 omega All is perfect. The real reason is because there is a bug in the chown() funktion which doesnot handle this userid correct, lets demonstrate this with a litte c-program: [root@jupiter root]# [root@jupiter tmp]# cd newdir/ The program mkdir1.c creates a directory called test and tries do change the owner of this directory to userid 4294967295, which is "2^32-1" Okay lets go: [root@jupiter newdir]# cat mkdir1.c #include<stdio.h> #include<sys/types.h> #include<sys/stat.h> #include<unistd.h> int main(){ unsigned int userid=4294967295; //userid=2^32-1 char dir[]="./test"; printf("userid Groesse: %d\n",sizeof(userid)); mkdir(dir,0); chown(dir,userid,0); return 0; } Lets compile and start the program: [root@jupiter newdir]# gcc -o mkdir1.c mkdir1.c mkdir1.c: In Funktion �main�: mkdir1.c:7: Warnung: this decimal constant is unsigned only in ISO C90 [root@jupiter newdir]# ./mkdir1 userid Groesse: 4 Look at the result: [root@jupiter newdir]# ls -ld test d--------- 2 root root 4096 24. Sep 14:09 test The directory created by the program mkdir1 belongs to root who started the programm mkdir1. chown didn't work !! To proof this we create a new c-program under the name mkdir2, but we use a userid "2^32-2": [root@jupiter newdir]# cat mkdir2.c #include<stdio.h> #include<sys/types.h> #include<sys/stat.h> #include<unistd.h> int main(){ unsigned int userid=4294967294; //userid=2^32-2 char dir[]="./test2"; printf("userid Groesse: %d\n",sizeof(userid)); mkdir(dir,0); chown(dir,userid,0); return 0; } [root@jupiter newdir]# gcc -o mkdir2 mkdir2.c mkdir2.c: In Funktion �main�: mkdir2.c:7: Warnung: this decimal constant is unsigned only in ISO C90 Let start the programm: [root@jupiter newdir]# ./mkdir2 userid Groesse: 4 Look at the result: [root@jupiter newdir]# ls -ln test2 insgesamt 28 d--------- 2 4294967294 0 4096 24. Sep 14:12 test2 chown now did his work. [root@jupiter newdir]# exit Version-Release number of selected component (if applicable): shadow-utils-4.0.3-21 How reproducible: Always Steps to Reproduce: 1.useradd -u `echo "2^32-1" | bc` omega 2.ls -ld /home/omega 3.ls -ldn /home/omega Actual Results: homedirectory created by useradd has owner and group root - which is the result of a bug in the chown()-function in the useradd-code if chown() failes the homedirectory will be created with userid 0 Expected Results: homedirectory should have userid 2^32-1 Additional info:
Fedora Core 2 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC3 updates or in the FC4 test release, reopen and change the version to match.
2^32-1 == (unsigned) - 1 $man chown If the owner or group is specified as -1, then that ID is not changed.