Bug 454892 - lnewusers can corrupt /etc/passwd
Summary: lnewusers can corrupt /etc/passwd
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: libuser
Version: 8
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Miloslav Trmač
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 646386
TreeView+ depends on / blocked
 
Reported: 2008-07-10 16:14 UTC by Milos Malik
Modified: 2010-10-25 09:44 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 646386 (view as bug list)
Environment:
Last Closed: 2008-07-23 13:42:05 UTC
Type: ---


Attachments (Terms of Use)

Description Milos Malik 2008-07-10 16:14:12 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.15) Gecko/20080702 Fedora/2.0.0.15-1.fc8 Firefox/2.0.0.15

Description of problem:
lnewusers doesn't check the input line if it contains too many ':' characters

Version-Release number of selected component (if applicable):
libuser-0.56.6-2

How reproducible:
Always


Steps to Reproduce:
1. lnewusers
2. write following string, press enter, press CTRL+D
testuser:password:543:543:test:user:/home/testuser:/bin/bash
3. you should see an error message like this:
Error creating home directory for testuser: couldn't determine security context for `user': No such file or directory
4. grep testuser /etc/passwd
testuser:x:543:543:test:user:/home/testuser:/bin/bash:/bin/bash

Actual Results:
lnewusers accepts line with too many ':' characters

Expected Results:
lnewusers rejects line with too many ':' characters

Additional info:

Comment 1 Milos Malik 2008-07-16 13:19:59 UTC
RHTS test for this bug is available
(/CoreOS/libuser/Regression/bz454892-lnewusers-corrupt-etc-passwd ). 

Comment 2 Miloslav Trmač 2008-07-23 13:42:05 UTC
Thanks for your report.

I believe this is actually correct behavior: libc's getpwent() doesn't reject
pw_shell values that contain ':', only the first 6 ':' characters serve as field
separators.

It's somewhat counter-intuitive, but it is in principle possible that somebody's
shell path contains a ':', and lnewusers should not reject lines that come from
a working /etc/passwd.


Note You need to log in before you can comment on or make changes to this bug.