Bug 22341

Summary: /etc/passwd -file corruption
Product: [Retired] Red Hat Linux Reporter: Need Real Name <jakemus>
Component: passwdAssignee: Jindrich Novy <jnovy>
Status: CLOSED NOTABUG QA Contact: Aaron Brown <abrown>
Severity: high Docs Contact:
Priority: medium    
Version: 7.0CC: dr, pknirsch
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-16 10:48:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2000-12-15 11:34:41 UTC 
System I administer:
- RH 7.0 / Intel, updated from RH 6.2
- Shadow passwords are in use
- There are several entries in /etc/passwd having
  UID=0 / GID=0 with different usernames

Damage happened:
all entries having UID=0 and username NOT beginning
with "root[something]" were changed so that the
UID and GID were copied from the entry above.
For example:
--<cut>--
figu:x:531:531:Risto Avila:/home/figu:/bin/bash
bofh:x:0:0:Bastard Operator From Hell:/root:/bin/bash
--<cut>--
was changed to
figu:x:531:531:Risto Avila:/home/figu:/bin/bash
bofh:x:531:531:Bastard Operator From Hell:/root:/bin/bash
--<cut>--
Entries where username was, t.ex "rootbeer", beginning with 
"root" were just as they were supposed to be.

When:
That is unfortunately not clear, and I couldn't reproduce the
problem. The things that I suspect are use of:
"passwd somebody" run as root
"adduser -u 123 -g 123 -d /home/person person"

  
This may be a bit paranoid or caused by some user having the
root priviledges with some other commands, I'm not too sure
everybody's knowhow is high enough to do what they're doing..
But please do something if reports with similar sympthons pop up.

Jarkko Hakala
Comment 1 Jindrich Novy 2004-09-16 10:48:39 UTC 
Jarkko, this looks really weird... Anyway I was unable to reproduce
it, if such thing happens to you again using a recent Red Hat release
and is reproducible, please create a new bug. Thanks!

Jindrich