Bug 133664 - "useradd -u 4294967295" creates homedirectory with userid 0
"useradd -u 4294967295" creates homedirectory with userid 0
Product: Fedora
Classification: Fedora
Component: shadow-utils (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Vrabec
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2004-09-25 17:38 EDT by Leopold Aichinger
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-29 11:44:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:

Attachments (Terms of Use)

  None (edit)
Description Leopold Aichinger 2004-09-25 17:38:33 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.2)

Description of problem:
Thereis a bug in the useradd command
if you use the hightest possible userid 2^32-1
which is 4294967295

Lets create a user with this userid and give him
the name omega:
[root@jupiter root]# useradd -u `echo "2^32-1"|bc` omega
[root@jupiter root]# grep /omega /etc/passwd

All perfect, but if we look at the homedirectory
of the user omega:

[root@jupiter root]# ls -ld /home/omega
drwx------   3 root   root    4096 24. Sep 13:13 omega
[root@jupiter root]# ls -ldn /home/
drwx------   3   0   0  4096 24. Sep 13:13 omega

The homedirectory was created with owner root and group root
Lets create a new user which we call "beforomega" because he
has an userid which is omega's userid minus one
which is "2^32-2":

[root@jupiter root]# useradd -u `echo "2^32-2"|bc` beforomega
[root@jupiter root]# ls -ln /home/
drwx------   3 4294967294 4294967294  4096 24. Sep 13:17 beforomega
drwx------   2          0          0 16384  7. Jun 00:28 lost+found
drwx------   3          0          0  4096 24. Sep 13:13 omega

All is perfect.

The real reason is because there is a bug in the chown() funktion
which doesnot handle this userid correct,
lets demonstrate this with a litte c-program:

[root@jupiter root]# 
[root@jupiter tmp]# cd newdir/

The program mkdir1.c creates a directory called test
and tries do change the owner of this directory to
userid 4294967295, which is "2^32-1"

Okay lets go:

[root@jupiter newdir]# cat mkdir1.c 

int main(){
unsigned int userid=4294967295; //userid=2^32-1
char dir[]="./test";

printf("userid Groesse: %d\n",sizeof(userid));

return 0;

Lets compile and start the program:

[root@jupiter newdir]# gcc -o mkdir1.c  mkdir1.c 
mkdir1.c: In Funktion �main�:
mkdir1.c:7: Warnung: this decimal constant is unsigned only in ISO C90
[root@jupiter newdir]# ./mkdir1 
userid Groesse: 4

Look at the result:

[root@jupiter newdir]# ls -ld test
d---------  2 root root 4096 24. Sep 14:09 test

The directory created by the program mkdir1 belongs to root
who started the programm mkdir1.
chown didn't work !!

To proof this we create a new c-program
under the name mkdir2, but we use a
userid "2^32-2":

[root@jupiter newdir]# cat mkdir2.c 

int main(){
unsigned int userid=4294967294;  //userid=2^32-2
char dir[]="./test2";

printf("userid Groesse: %d\n",sizeof(userid));

return 0;

[root@jupiter newdir]# gcc -o mkdir2 mkdir2.c 
mkdir2.c: In Funktion �main�:
mkdir2.c:7: Warnung: this decimal constant is unsigned only in ISO C90
Let start the programm:

[root@jupiter newdir]# ./mkdir2
userid Groesse: 4

Look at the result:

[root@jupiter newdir]# ls -ln test2
insgesamt 28
d---------  2 4294967294 0 4096 24. Sep 14:12 test2

chown now did his work.

[root@jupiter newdir]# exit

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.useradd -u `echo "2^32-1" | bc` omega
2.ls -ld /home/omega
3.ls -ldn /home/omega

Actual Results:  homedirectory created by useradd has owner and group
root - which is the result of a bug in the chown()-function
in the useradd-code if chown() failes the homedirectory
will be created with userid 0

Expected Results:  homedirectory should have userid 2^32-1

Additional info:
Comment 1 Matthew Miller 2005-04-26 11:56:01 EDT
Fedora Core 2 is now maintained by the Fedora Legacy project for
security updates only. If this problem is a security issue, please
reopen and reassign to the Fedora Legacy product. If it is not a
security issue and hasn't been resolved in the current FC3 updates or
in the FC4 test release, reopen and change the version to match.
Comment 2 Peter Vrabec 2005-09-29 11:44:49 EDT
2^32-1 == (unsigned) - 1
$man chown
If the owner or group is specified as -1, then that ID is not changed.

Note You need to log in before you can comment on or make changes to this bug.