Red Hat Bugzilla – Bug 92033
passwd doesn't handle multiple usernames w/ same uid
Last modified: 2007-11-30 17:10:31 EST
Description of problem:
two or more usernames w/ same uid (eg u1:1001 and u2:1001). log in as u2;
run passwd; passwd will say "Changing password for user u1", and will change
u1's password, if u1 is first in /etc/passwd.
Version-Release number of selected component (if applicable):
applies to all versions since 5.2, I believe
Steps to Reproduce:
1. (as root) useradd u1; useradd u2
2. edit /etc/passwd file to change uid for u2 to be same as uid for u1
3. chown -R u1 /home/u2
4. su - u2
"Changing password for user u1"
"Changing password for user u2"
The behavior of passwd changed after 5.2, apparently in an attempt to avoid
the insecurity of the getlogin function. However, the insecurity of getlogin
is not, I believe, really an issue, since the getuid check still applies.
This is a difficult problem to fix securely, and it may be impossible to do a
job that that is both complete and secure. I have a patch that I believe does
OK (it meets my needs, at least), and I have been using it for some time now.
It would be much better, of course, if the functionality was supported.
Kent, could you send the patch here?
Having two users with the same uid isn't supported well by many system utilities
so I don't think passwd is too different from the rest of the system.