Bug 454892 - lnewusers can corrupt /etc/passwd
Summary: lnewusers can corrupt /etc/passwd
Alias: None
Product: Fedora
Classification: Fedora
Component: libuser
Version: 8
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Miloslav Trmač
QA Contact: Fedora Extras Quality Assurance
Depends On:
Blocks: 646386
TreeView+ depends on / blocked
Reported: 2008-07-10 16:14 UTC by Milos Malik
Modified: 2010-10-25 09:44 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 646386 (view as bug list)
Last Closed: 2008-07-23 13:42:05 UTC
Type: ---

Attachments (Terms of Use)

Description Milos Malik 2008-07-10 16:14:12 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20080702 Fedora/ Firefox/

Description of problem:
lnewusers doesn't check the input line if it contains too many ':' characters

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. lnewusers
2. write following string, press enter, press CTRL+D
3. you should see an error message like this:
Error creating home directory for testuser: couldn't determine security context for `user': No such file or directory
4. grep testuser /etc/passwd

Actual Results:
lnewusers accepts line with too many ':' characters

Expected Results:
lnewusers rejects line with too many ':' characters

Additional info:

Comment 1 Milos Malik 2008-07-16 13:19:59 UTC
RHTS test for this bug is available
(/CoreOS/libuser/Regression/bz454892-lnewusers-corrupt-etc-passwd ). 

Comment 2 Miloslav Trmač 2008-07-23 13:42:05 UTC
Thanks for your report.

I believe this is actually correct behavior: libc's getpwent() doesn't reject
pw_shell values that contain ':', only the first 6 ':' characters serve as field

It's somewhat counter-intuitive, but it is in principle possible that somebody's
shell path contains a ':', and lnewusers should not reject lines that come from
a working /etc/passwd.

Note You need to log in before you can comment on or make changes to this bug.