Red Hat Bugzilla – Bug 73450
Cannot create lines in /etc/group longer than 8k
Last modified: 2007-04-18 12:46:20 EDT
From Bugzilla Helper: User-Agent: Mozilla/5.0 Galeon/1.2.0 (X11; Linux i686; U;) Gecko/20020408 Description of problem: Lines in /etc/group are truncated if enough users are added to a group to make the line length > 8k. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: Instal RH linux, and run this program: #! /usr/bin/perl -w use strict; foreach my $user (0..1100) { $user = "user$user"; print "Doing user $user\n"; system("/usr/sbin/useradd", "$user"); system("/usr/sbin/usermod", "-G", "shared", "$user"); } Actual Results: shared:x:500:public,admin,www,user0,user1,user2,user3,user4,user5,user6,\ ... user513,user514,user515,user516,user517,user518,user519,user520,user521,user1100 Expected Results: shared:x:500:public,admin,www,user0,user1,user2,user3,user4,user5,user6,user7,user8,\ ... user1095,user1096,user1097,user1098,user1099,user1100 Additional info: This was noticed, and a fix promised, long ago: http://security-archive.merton.ox.ac.uk/security-audit-200009/0002.html [snip] > I'm using #4 for my PAM'ified systems now. Still need to "port" some > of the reliability fixes I did for libpwdb to the password file I/O > routines found in shadow-utils. Just curious, what are these fixes? These routines were meant to be quite reliable, though I have received one bug report recently: very long lines (>8K characters) in group files are truncated (this is a very old bug, but reported after shadow-20000826 was released, so I'll probably make another bugfix release soon, probably the last one from me after all these years...). [snip] The bug is fixed in the PLD version of the package: http://rpmfind.net/linux/PLD/current/software/shadow/NEWS ... - fix bug discovered and fixed by Marcel Ritter <Marcel.Ritter@rrze.uni-erlangen.de> Due to a big buffer size in lib/commonio.c this error does only appear if a line gets longer than 4096 bytes (there are probably very few people stumbling across this). Ths bug can be exposed by trashing /etc/groups file using useradd with script: #!/bin/sh typeset -i NUM NUM=0 groupadd demogroup while [ $NUM -le 1000 ]; do useradd -g demogroup -G demogroup -p "NONE" user$NUM NUM=$NUM+1 done ... This patch to lib/commonio.c is the relevant bit of their fix: ... while (db->ops->fgets(buf, buflen, db->fp)) { while (!(cp = strrchr(buf, '\n')) && !feof(db->fp)) { + int len; + buflen += BUFLEN; cp = (char *) realloc(buf, buflen); if (!cp) goto cleanup_buf; buf = cp; - db->ops->fgets(buf + buflen - BUFLEN, BUFLEN, db->fp); + len = strlen(buf); + db->ops->fgets(buf + len, buflen - len, db->fp); } if ((cp = strrchr(buf, '\n'))) *cp = '\0';
Please take a look at bug 60304, it's duplicate (and these two are duplicates of bug 3809), I have attached my patch there.