Bug 450262 - usermod/useradd may inadvertently give access to group root
usermod/useradd may inadvertently give access to group root
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: shadow-utils (Show other bugs)
All Linux
low Severity high
: rc
: ---
Assigned To: Peter Vrabec
Depends On:
  Show dependency treegraph
Reported: 2008-06-06 05:27 EDT by Ralph Angenendt
Modified: 2013-04-12 15:45 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-03 05:03:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
fix candidate (1.08 KB, text/x-patch)
2008-06-17 08:01 EDT, Peter Vrabec
no flags Details

  None (edit)
Description Ralph Angenendt 2008-06-06 05:27:58 EDT
Description of problem:

With a simple typo when using useradd or usermod, you can give users access to
the root group. 

Version-Release number of selected component (if applicable):


How reproducible:

usermod -G group1,group2, username

gives that user access to group root

Steps to Reproduce:

[root@shutdown ~]# useradd -G content, foobar
[root@shutdown ~]# groups foobar
foobar : foobar root content
[root@shutdown ~]# usermod -G content foobar
[root@shutdown ~]# groups foobar
foobar : foobar content
[root@shutdown ~]# usermod -G content,backup, foobar
[root@shutdown ~]# groups foobar
foobar : foobar root content backup

Actual results:

user is member of the group root

Expected results:

Throw an error of some sort

Additional info:

This bug has been found in CentOS, see http://bugs.centos.org/view.php?id=2876
Comment 1 Peter Vrabec 2008-06-17 08:01:07 EDT
Created attachment 309604 [details]
fix candidate
Comment 3 Ralph Angenendt 2008-06-17 08:41:03 EDT
This fixes it for me.
Comment 4 Josh Bressers 2008-06-24 14:20:42 EDT
This was just brought to my attention by sgrubb.  I'm inclined to say this isn't
a security issue as it's the result of user error.  I will agree that the
behavior is undesirable, but not serious enough to be classified as a security flaw.
Comment 5 Ralph Angenendt 2008-06-24 19:02:28 EDT
Nobody said it's a security issue, but it's an ugly bug none the less. The patch
in comment 2 fixes the issue for me, as you cannot add empty groups anymore.
Comment 9 errata-xmlrpc 2008-09-03 05:03:32 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.