Bug 73450

Summary: Cannot create lines in /etc/group longer than 8k
Product: [Retired] Red Hat Linux Reporter: Charlie Brady <charlieb-redhat-bugzilla>
Component: shadow-utilsAssignee: Eido Inoue <havill>
Status: CLOSED CURRENTRELEASE QA Contact: David Lawrence <dkl>
Severity: high Docs Contact:
Priority: medium    
Version: 7.3CC: jim
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-10-27 18:47:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Charlie Brady 2002-09-04 20:31:33 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020408

Description of problem:
Lines in /etc/group are truncated if enough users are added to a group to make
the line length > 8k.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
Instal RH linux, and run this program:

#! /usr/bin/perl -w

use strict;

foreach my $user (0..1100)
{
	$user = "user$user";
	print "Doing user $user\n";
	system("/usr/sbin/useradd", "$user");
	system("/usr/sbin/usermod", "-G", "shared", "$user");
}



	

Actual Results: 
shared:x:500:public,admin,www,user0,user1,user2,user3,user4,user5,user6,\
...
user513,user514,user515,user516,user517,user518,user519,user520,user521,user1100



Expected Results: 
shared:x:500:public,admin,www,user0,user1,user2,user3,user4,user5,user6,user7,user8,\
...
user1095,user1096,user1097,user1098,user1099,user1100


Additional info:

This was noticed, and a fix promised, long ago:

http://security-archive.merton.ox.ac.uk/security-audit-200009/0002.html

[snip]
> I'm using #4 for my PAM'ified systems now. Still need to "port" some
> of the reliability fixes I did for libpwdb to the password file I/O
> routines found in shadow-utils.

Just curious, what are these fixes? These routines were meant to be
quite reliable, though I have received one bug report recently: very
long lines (>8K characters) in group files are truncated (this is a
very old bug, but reported after shadow-20000826 was released, so I'll
probably make another bugfix release soon, probably the last one from
me after all these years...). 
[snip]

The bug is fixed in the PLD version of the package:

http://rpmfind.net/linux/PLD/current/software/shadow/NEWS

...
- fix bug discovered and fixed by Marcel Ritter
  <Marcel.Ritter.de>
Due to a big buffer size in lib/commonio.c this error does only appear
  if a line gets longer than 4096 bytes (there are probably very few people
  stumbling across this).
  Ths bug can be exposed by trashing /etc/groups file using useradd with script:
	#!/bin/sh
	typeset -i NUM
	NUM=0
	groupadd demogroup
	while [ $NUM -le 1000 ]; do
	   useradd -g demogroup -G demogroup -p "NONE" user$NUM
	   NUM=$NUM+1
	done
...


This patch to lib/commonio.c is the relevant bit of their fix:

... 
 	while (db->ops->fgets(buf, buflen, db->fp)) {
 
	while (!(cp = strrchr(buf, '\n')) && !feof(db->fp)) {
+
		int len;
+
 
		buflen += BUFLEN;
 
		cp = (char *) realloc(buf, buflen);
 
		if (!cp)
 
			goto cleanup_buf;
 
		buf = cp;
-
		db->ops->fgets(buf + buflen - BUFLEN, BUFLEN, db->fp);
+
		len = strlen(buf);
+
		db->ops->fgets(buf + len, buflen - len, db->fp);
 
	}
 
	if ((cp = strrchr(buf, '\n')))
 
		*cp = '\0';
Comment 1 Leszek Matok 2002-10-03 21:39:14 UTC 
Please take a look at bug 60304, it's duplicate (and these two are duplicates of
bug 3809), I have attached my patch there.