Bug 646386

Summary: lnewusers can corrupt /etc/passwd
Product: Red Hat Enterprise Linux 5 Reporter: Miroslav Vadkerti <mvadkert>
Component: libuserAssignee: Miloslav Trmač <mitr>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.6CC: mmalik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 454892 Environment:
Last Closed: 2010-10-25 17:48:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 454892    
Bug Blocks:    

Description Miroslav Vadkerti 2010-10-25 09:44:02 UTC 
+++ This bug was initially created as a clone of Bug #454892 +++

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.15) Gecko/20080702 Fedora/2.0.0.15-1.fc8 Firefox/2.0.0.15

Description of problem:
lnewusers doesn't check the input line if it contains too many ':' characters

Version-Release number of selected component (if applicable):
libuser-0.56.6-2

How reproducible:
Always


Steps to Reproduce:
1. lnewusers
2. write following string, press enter, press CTRL+D
testuser:password:543:543:test:user:/home/testuser:/bin/bash
3. you should see an error message like this:
Error creating home directory for testuser: couldn't determine security context for `user': No such file or directory
4. grep testuser /etc/passwd
testuser:x:543:543:test:user:/home/testuser:/bin/bash:/bin/bash

Actual Results:
lnewusers accepts line with too many ':' characters

Expected Results:
lnewusers rejects line with too many ':' characters

Additional info:

--- Additional comment from mmalik on 2008-07-16 09:19:59 EDT ---

RHTS test for this bug is available
(/CoreOS/libuser/Regression/bz454892-lnewusers-corrupt-etc-passwd ). 

--- Additional comment from mitr on 2008-07-23 09:42:05 EDT ---

Thanks for your report.

I believe this is actually correct behavior: libc's getpwent() doesn't reject
pw_shell values that contain ':', only the first 6 ':' characters serve as field
separators.

It's somewhat counter-intuitive, but it is in principle possible that somebody's
shell path contains a ':', and lnewusers should not reject lines that come from
a working /etc/passwd.
Comment 1 Miloslav Trmač 2010-10-25 17:48:03 UTC 
See above:

> I believe this is actually correct behavior: libc's getpwent() doesn't reject
> pw_shell values that contain ':', only the first 6 ':' characters serve as
> field separators.

> It's somewhat counter-intuitive, but it is in principle possible that somebody's
> shell path contains a ':', and lnewusers should not reject lines that come from
> a working /etc/passwd.