Debian Bug report logs - #25882
base-passwd: avoid uid/gid 100

Package: base-passwd; Maintainer for base-passwd is Colin Watson <cjwatson@debian.org>; Source for base-passwd is src:base-passwd.

Reported by: Ian Jackson <ian@chiark.greenend.org.uk>

Date: Tue, 18 Aug 1998 11:33:02 UTC

Severity: normal

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Galen Hazelwood <galenh@micron.net>:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Ian Jackson <ian@chiark.greenend.org.uk>:
New bug report received and forwarded. Copy sent to Galen Hazelwood <galenh@micron.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ian Jackson <ian@chiark.greenend.org.uk>
To: Debian bugs submission address <submit@bugs.debian.org>
Subject: various system users inherited my personal gid (100) !
Date: Tue, 18 Aug 1998 12:18:11 +0100 (BST)
Package: base-passwd
Version: 2.0.3.3
Severity: critical

I had cause to look in /etc/passwd recently, and found that several
system accounts had inherited my gid, 100:

sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:
man:*:6:100:man:/var/catman:

I'm _almost_ certain that these weren't like that before tha hamm
upgrade, and indeed, in /usr/share/base-passwd/passwd.master:

sync:*:4:100:sync:/bin:/bin/sync
games:*:5:100:games:/usr/games:/bin/sh
man:*:6:100:man:/var/catman:/bin/sh

Group 100 is not in the globally-statically-allocated range.  Indeed,
on my system I grandfathered in my own personal uid and gid 100 from
my previous (non-Debian) installation.  Other sites may use these for
local purposes.

Some other harmless group should be used, 65534 perhaps.

Thanks,
Ian.


Information forwarded to debian-bugs-dist@lists.debian.org, Galen Hazelwood <galenh@micron.net>:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to jdassen@wi.leidenuniv.nl:
Extra info received and forwarded to list. Copy sent to Galen Hazelwood <galenh@micron.net>. Full text and rfc822 format available.

Message #10 received at 25882@bugs.debian.org (full text, mbox):

From: jdassen@wi.leidenuniv.nl
To: ian@chiark.greenend.org.uk, 25882@bugs.debian.org
Subject: Re: Bug#25882: various system users inherited my personal gid (100) !
Date: Tue, 18 Aug 1998 14:15:35 +0200
On Tue, Aug 18, 1998 at 12:18:11PM +0100, Ian Jackson wrote:
> Group 100 is not in the globally-statically-allocated range.  Indeed, on
> my system I grandfathered in my own personal uid and gid 100 from my
> previous (non-Debian) installation.  Other sites may use these for local
> purposes.
> 
> Some other harmless group should be used, 65534 perhaps.

If I read the policy manual correctly, the correct behaviour would be to use
an unused UID/GID in the 100-999 range.

Ray
-- 
LEADERSHIP  A form of self-preservation exhibited by people with auto-
destructive imaginations in order to ensure that when it comes to the crunch 
it'll be someone else's bones which go crack and not their own.       
- The Hipcrime Vocab by Chad C. Mulligan    


Bug reassigned from package `base-passwd' to `debian-policy'. Request was from Anthony Towns <aj@azure.humbug.org.au> to control@bugs.debian.org. Full text and rfc822 format available.

Changed bug title. Request was from Anthony Towns <aj@azure.humbug.org.au> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `wishlist'. Request was from Anthony Towns <aj@azure.humbug.org.au> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#25882; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Julian Gilbey <J.D.Gilbey@qmw.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #21 received at 25882@bugs.debian.org (full text, mbox):

From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
To: 25882@bugs.debian.org, ajt@debian.org
Cc: iwj@debian.org, base-passwd@packages.debian.org
Subject: Bug#25882: [PROPOSED] u/gid 100 should be statically allocated
Date: Sun, 30 May 1999 17:35:56 +0100 (BST)
Ian Jackson wrote:
> I had cause to look in /etc/passwd recently, and found that several
> system accounts had inherited my gid, 100:
> 
> sync:*:4:100:sync:/bin:/bin/sync
> games:*:5:100:games:/usr/games:
> man:*:6:100:man:/var/catman:
> 
> I'm _almost_ certain that these weren't like that before tha hamm
> upgrade, and indeed, in /usr/share/base-passwd/passwd.master:
> 
> sync:*:4:100:sync:/bin:/bin/sync
> games:*:5:100:games:/usr/games:/bin/sh
> man:*:6:100:man:/var/catman:/bin/sh
> 
> Group 100 is not in the globally-statically-allocated range.  Indeed,
> on my system I grandfathered in my own personal uid and gid 100 from
> my previous (non-Debian) installation.  Other sites may use these for
> local purposes.
> 
> Some other harmless group should be used, 65534 perhaps.

Or alternatively allocate one of the unused groups in the 0-99 range
for this explicit purpose if a group other than `nogroup' is required.

It does not make sense to change policy to make UID/GID 100 statically
allocated to solve this simple problem.  The correct solution is for
base-passwd to change the three offending users (sync, games, man) to
the correct behaviour.

So I oppose this proposal and suggest that we should reassign this bug
back to base-passwd.

   Julian

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  Julian Gilbey, Dept of Maths, QMW, Univ. of London. J.D.Gilbey@qmw.ac.uk
        Debian GNU/Linux Developer,  see http://www.debian.org/~jdg


Changed bug title. Request was from Julian Gilbey <J.D.Gilbey@qmw.ac.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#25882; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Anthony Towns <ajt@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #28 received at 25882@bugs.debian.org (full text, mbox):

From: Anthony Towns <ajt@debian.org>
To: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
Cc: 25882@bugs.debian.org, iwj@debian.org, base-passwd@packages.debian.org
Subject: Re: Bug#25882: [PROPOSED] u/gid 100 should be statically allocated
Date: Sat, 12 Jun 1999 14:57:21 +1000
On Sun, May 30, 1999 at 05:35:56PM +0100, Julian Gilbey wrote:
> > I had cause to look in /etc/passwd recently, and found that several
> > system accounts had inherited my gid, 100:
> > sync:*:4:100:sync:/bin:/bin/sync
> > games:*:5:100:games:/usr/games:
> > man:*:6:100:man:/var/catman:
> Or alternatively allocate one of the unused groups in the 0-99 range
> for this explicit purpose if a group other than `nogroup' is required.

Please see the discussion in http://www.debian.org/Bugs/db/25/25882-b.html#m5

In summary, changing this group is a risky thing to do on all the
Debian systems currently installed (it requires messing with people's
filesystems); the current behaviour has been standard "forever" on Debian
(and hasn't resulted in a slew of bug reports); and having a variable
group number requires changes to other packages.

I'd appreciate it if you (or someone else who'd rather an alternate
solution) address the problems outlined at the above url at any rate.

Cheers,
aj

-- 
Anthony Towns <aj@humbug.org.au> <http://azure.humbug.org.au/~aj/>
I don't speak for anyone save myself. PGP encrypted mail preferred.

       ``There's nothing worse than people with a clue.
             They're always disagreeing with you.'' 
                                 -- Andrew Over


Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#25882; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Julian Gilbey <J.D.Gilbey@qmw.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #33 received at 25882@bugs.debian.org (full text, mbox):

From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
To: ajt@debian.org (Anthony Towns)
Cc: J.D.Gilbey@qmw.ac.uk, 25882@bugs.debian.org, iwj@debian.org, base-passwd@packages.debian.org
Subject: Re: Bug#25882: [PROPOSED] u/gid 100 should be statically allocated
Date: Sun, 13 Jun 1999 23:50:49 +0100 (BST)
> On Sun, May 30, 1999 at 05:35:56PM +0100, Julian Gilbey wrote:
> > > I had cause to look in /etc/passwd recently, and found that several
> > > system accounts had inherited my gid, 100:
> > > sync:*:4:100:sync:/bin:/bin/sync
> > > games:*:5:100:games:/usr/games:
> > > man:*:6:100:man:/var/catman:
> > Or alternatively allocate one of the unused groups in the 0-99 range
> > for this explicit purpose if a group other than `nogroup' is required.
> 
> Please see the discussion in http://www.debian.org/Bugs/db/25/25882-b.html#m5
> 
> In summary, changing this group is a risky thing to do on all the
> Debian systems currently installed (it requires messing with people's
> filesystems); the current behaviour has been standard "forever" on Debian
> (and hasn't resulted in a slew of bug reports); and having a variable
> group number requires changes to other packages.
> 
> I'd appreciate it if you (or someone else who'd rather an alternate
> solution) address the problems outlined at the above url at any rate.

A question on this one:

There are only three users in /etc/passwd which have a gid of 100.

The gid of "users" in /etc/group could probably be changed by a local
admin without too many problems; the /etc/adduser.conf file would need
modification, but anyone playing with this issue could reasonably be
expected to figure this out.  (This is sysadmin stuff, not general
user stuff.)

So to what extent do these three users (man, sync and games) actually
need to be in the users group?  Do they ever use their gids?  Why
could they not be given group nogroup in future?  Then if the sysadmin
were to change the gid of "users", there would be no interference or
problems caused.

The original bug report talked about changing the gids of these three
users, nothing more major than that.  And this would not need to be a
retroactive change: as long as these three users don't *need* to be in
users, they shouldn't be.

Actually, I don't understand after some more thinking about it why
they are in users in the first place.  I also don't understand what
harm it could cause.

Not even 2 cents' worth!

   Julian

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  Julian Gilbey, Dept of Maths, QMW, Univ. of London. J.D.Gilbey@qmw.ac.uk
        Debian GNU/Linux Developer,  see http://www.debian.org/~jdg


Changed bug title. Request was from Manoj Srivastava <srivasta@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Severity set to `fixed'. Request was from Manoj Srivastava <srivasta@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Policy List <debian-policy@lists.debian.org>:
Bug#25882; Package debian-policy. Full text and rfc822 format available.

Acknowledgement sent to Julian Gilbey <J.D.Gilbey@qmw.ac.uk>:
Extra info received and forwarded to list. Copy sent to Debian Policy List <debian-policy@lists.debian.org>. Full text and rfc822 format available.

Message #42 received at 25882@bugs.debian.org (full text, mbox):

From: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>
To: 25882@bugs.debian.org, base-passwd@packages.debian.org
Subject: Bug#25882: U/gid 100 should be statically allocated
Date: Tue, 20 Jun 2000 13:33:27 +0100
Hello Wichert!

This bug report was originally made against the base-passwd package as
a critical bug.  It was then transferred to -policy and eventually
rejected.

Please could you look at it and let me know whether you think it
should be acted upon or closed.

Thanks,

   Julian

-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

  Julian Gilbey, Dept of Maths, QMW, Univ. of London. J.D.Gilbey@qmw.ac.uk
        Debian GNU/Linux Developer,  see http://www.debian.org/~jdg
  Donate free food to the world's hungry: see http://www.thehungersite.com/



Severity set to `normal'. Request was from Julian Gilbey <J.D.Gilbey@qmw.ac.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Bug reassigned from package `debian-policy' to `base-passwd'. Request was from Julian Gilbey <J.D.Gilbey@qmw.ac.uk> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Wichert Akkerman <wakkerma@debian.org>:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Wichert Akkerman <wichert@cistron.nl>:
Extra info received and forwarded to list. Copy sent to Wichert Akkerman <wakkerma@debian.org>. Full text and rfc822 format available.

Message #51 received at 25882@bugs.debian.org (full text, mbox):

From: Wichert Akkerman <wichert@cistron.nl>
To: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>, 25882-submitter@bugs.debian.org, 25882@bugs.debian.org
Subject: Re: Reassign back to base-passwd
Date: Mon, 19 Feb 2001 17:34:10 +0100
Previously Julian Gilbey wrote:
> This really appears to be a base-passwd issue, not a policy issue.
> Please do with it as you think appropriate.

Oh joy, another ancient bug :)

Ian Jackson wrote:
> sync:*:4:100:sync:/bin:/bin/sync
> games:*:5:100:games:/usr/games:
> man:*:6:100:man:/var/catman:
> 
> I'm _almost_ certain that these weren't like that before tha hamm
> upgrade, and indeed, in /usr/share/base-passwd/passwd.master:

My memory tells me different, and the changelog seems to agree with me.
I think what happened is that about a month before Ian filed this
bugreport Galen introduced update-passwd in unstable and that made
this change on his system.

> Group 100 is not in the globally-statically-allocated range.  Indeed,
> on my system I grandfathered in my own personal uid and gid 100 from
> my previous (non-Debian) installation.  Other sites may use these for
> local purposes.

It is in the 100-999 reserved range (same as uids) that are reserved
for the local dynamic range (see section 10.2 of the current 
Debian policy text) though. Your last remark here is not a valid
argument: whatever range we reserve there is always some site that
uses that for a different purpose; we just have to select a good
range and stay with it.

I could modify update-passwd to change the gid for those users to
something else; I'm not entirely sure 65534 is the best choice
though. I'll look around to see what other distros do first.

Wichert.

-- 
  _________________________________________________________________
 /       Nothing is fool-proof to a sufficiently talented fool     \
| wichert@cistron.nl                  http://www.liacs.nl/~wichert/ |
| 1024D/2FA3BC2D 576E 100B 518D 2F16 36B0  2805 3CB8 9250 2FA3 BC2D |



Message sent on to Ian Jackson <ian@chiark.greenend.org.uk>:
Bug#25882. Full text and rfc822 format available.

Acknowledgement sent to Ian Jackson <ian@davenant.greenend.org.uk>:
Extra info received and filed, but not forwarded. Full text and rfc822 format available.

Message #57 received at 25882-quiet@bugs.debian.org (full text, mbox):

From: Ian Jackson <ian@davenant.greenend.org.uk>
To: Wichert Akkerman <wichert@cistron.nl>, 25882-quiet@bugs.debian.org
Cc: Julian Gilbey <J.D.Gilbey@qmw.ac.uk>, 25882-submitter@bugs.debian.org,
Subject: Re: Bug#25882: Reassign back to base-passwd
Date: Sat, 10 Mar 2001 17:31:00 +0000 (GMT)
Wichert Akkerman writes ("Bug#25882: Reassign back to base-passwd"):
> Ian Jackson wrote:
> > Group 100 is not in the globally-statically-allocated range.  Indeed,
> > on my system I grandfathered in my own personal uid and gid 100 from
> > my previous (non-Debian) installation.  Other sites may use these for
> > local purposes.
> 
> It is in the 100-999 reserved range (same as uids) that are reserved
> for the local dynamic range (see section 10.2 of the current 
> Debian policy text) though. Your last remark here is not a valid
> argument: whatever range we reserve there is always some site that
> uses that for a different purpose; we just have to select a good
> range and stay with it.

Part of the point of having 100-999 as the local dynamic system range
rather than global and static is that if a site already uses those ids
the system will automatically avoid them, and that it is also possible
for sites to either move that range elsewhere if they already use
100-999 for real users (which is very common).

Putting the entries in the master files is not using them as local
dynamic entries, it's using them as global static entries.

Thanks,
ian.



Message sent on to Ian Jackson <ian@chiark.greenend.org.uk>:
Bug#25882. Full text and rfc822 format available.

Information forwarded to base-passwd@packages.qa.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and filed, but not forwarded. Copy sent to base-passwd@packages.qa.debian.org. Full text and rfc822 format available.

Message #65 received at 25882-quiet@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: 25882-quiet@bugs.debian.org
Subject: Other distributions
Date: Sat, 8 Feb 2003 13:00:42 +0000
Here's a brief survey of what a few other distributions do, mostly for
my own information when I come back to this bug.

Red Hat Linux 8.0 and Mandrake 9.0 (defaults from 'setup' package):

  User sync is in group root.
  User games is in group users (100).
  No man user.

SuSE (as best as I can figure out):

  User sync is in group root.
  User games is in group users (100).
  User man has its own group.

FreeBSD:

  No sync user.
  Users games and man have their own group.

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Changed Bug title. Request was from Colin Watson <cjwatson@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, base-passwd@packages.qa.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to base-passwd@packages.qa.debian.org. Full text and rfc822 format available.

Message #72 received at 25882@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: debian-devel@lists.debian.org
Cc: 25882@bugs.debian.org, Ian Jackson <ian@chiark.greenend.org.uk>
Subject: The 'users' gid: sync, games, and man
Date: Sun, 9 Feb 2003 12:34:19 +0000
Bug #25882 describes a problem with the three users sync, games, and
man. All three currently have their primary group set to 'users',
currently gid 100. The discussion got sidetracked into whether users
should have gid 100 at all (given that that's supposed to be in the
dynamic system range at the moment), but I'd like to avoid that part of
the bug for now and concentrate exclusively on the correct primary
groups for sync, games, and man.

sync:

  FreeBSD appears not to have this user. All GNU/Linux systems I looked
  at (Red Hat, Mandrake, SuSE) set its primary group to root. As far as
  I know the only thing sync is ever used for is running /bin/sync, so
  its gid probably isn't too important; root or maybe nogroup would do.

games:

  FreeBSD gives this its own group. All GNU/Linux systems I looked at
  set its primary group to users.

  We already have a static games group, and have done for long enough
  that there's no mention of it in the base-passwd changelog. Surely
  that should be the primary group of the games user, since it's there?
  The packages that contain files owned by the games user all have them
  owned by the games group as well.

man:

  FreeBSD gives this its own group. Red Hat and Mandrake don't have it
  in their basic passwd file (but they use a different man
  implementation anyway). SuSE use the same man implementation as we do
  and give it its own group (although they modify man-db to make it use
  group privileges much more than ours does).

  man and mandb drop privileges to the uid of the calling user except
  when they're performing trusted operations (saving cat pages in system
  territory, writing to system databases, etc.). As far as I know they
  never create group-writeable files as the man user, but if they did it
  would almost certainly be a security hole to have their group set to
  users. I'm therefore inclined to create a static group for man and set
  that as the man user's primary group. If there are objections to that
  then the root group would probably do, since /var/cache/man is setgid
  root anyway, but I'd prefer to overload groups as little as possible.

All this will address Ian's initial bug report, although not some other
parts of the discussion.

Comments? Please keep 25882@bugs.debian.org in the recipient list as
long as the discussion is relevant to it.

Thanks,

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>, base-passwd@packages.qa.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Josip Rodin <joy@gkvk.hr>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>, base-passwd@packages.qa.debian.org. Full text and rfc822 format available.

Message #77 received at 25882@bugs.debian.org (full text, mbox):

From: Josip Rodin <joy@gkvk.hr>
To: debian-devel@lists.debian.org, 25882@bugs.debian.org
Subject: Re: The 'users' gid: sync, games, and man
Date: Sun, 9 Feb 2003 14:20:53 +0100
On Sun, Feb 09, 2003 at 12:34:19PM +0000, Colin Watson wrote:
> sync:
> games:
> man:

Good summary. I'm inclined to say nogroup, games, nogroup, because using the
root group would possibly compromise other files on the system that happen
to be 0640, 0740 etc. Not that there should be any such files, but still.
Note also that nothing else appears to be using the root group by default.

-- 
     2. That which causes joy or happiness.



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>, base-passwd@packages.qa.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Graham Wilson <bob@decoy.wox.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>, base-passwd@packages.qa.debian.org. Full text and rfc822 format available.

Message #82 received at 25882@bugs.debian.org (full text, mbox):

From: Graham Wilson <bob@decoy.wox.org>
To: Josip Rodin <joy@gkvk.hr>
Cc: debian-devel@lists.debian.org, 25882@bugs.debian.org
Subject: Re: The 'users' gid: sync, games, and man
Date: Sun, 9 Feb 2003 16:33:39 -0600
On Sun, Feb 09, 2003 at 02:20:53PM +0100, Josip Rodin wrote:
> On Sun, Feb 09, 2003 at 12:34:19PM +0000, Colin Watson wrote:
> > sync:
> > games:
> > man:
> 
> Good summary. I'm inclined to say nogroup, games, nogroup, because
> using the root group would possibly compromise other files on the
> system that happen to be 0640, 0740 etc. Not that there should be any
> such files, but still. Note also that nothing else appears to be using
> the root group by default.

what happens if an application is running as group nogroup? wouldnt it
be able to read group-readable files created by another program that is
group nogroup? or am i just confused?

-- 
gram



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>, base-passwd@packages.qa.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Michael Stone <mstone@debian.org>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>, base-passwd@packages.qa.debian.org. Full text and rfc822 format available.

Message #87 received at 25882@bugs.debian.org (full text, mbox):

From: Michael Stone <mstone@debian.org>
To: debian-devel@lists.debian.org
Cc: 25882@bugs.debian.org
Subject: Re: The 'users' gid: sync, games, and man
Date: Sun, 9 Feb 2003 19:06:46 -0500
On Sun, Feb 09, 2003 at 04:33:39PM -0600, Graham Wilson wrote:
>what happens if an application is running as group nogroup? wouldnt it
>be able to read group-readable files created by another program that is
>group nogroup? or am i just confused?

No files should have group "nogroup". Likewise, no files should be
owned by "nobody". If either of these is the case somewhere on your
system you should create new user or group for that purpose...

Mike Stone



Information forwarded to debian-bugs-dist@lists.debian.org, base-passwd@packages.qa.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to base-passwd@packages.qa.debian.org. Full text and rfc822 format available.

Message #92 received at 25882@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: debian-devel@lists.debian.org, 25882@bugs.debian.org
Subject: Re: The 'users' gid: sync, games, and man
Date: Tue, 11 Feb 2003 10:17:56 +0000
On Sun, Feb 09, 2003 at 02:20:53PM +0100, Josip Rodin wrote:
> On Sun, Feb 09, 2003 at 12:34:19PM +0000, Colin Watson wrote:
> > sync:
> > games:
> > man:
> 
> Good summary. I'm inclined to say nogroup, games, nogroup,

I don't think man should be nogroup for much the same reasons I don't
think it should be users, so I think I'll go with a dedicated group.
Otherwise, agreed.

> because using the root group would possibly compromise other files on
> the system that happen to be 0640, 0740 etc. Not that there should be
> any such files, but still. Note also that nothing else appears to be
> using the root group by default.

Yes, fair point, and I agree. Some systems might use the root group to
control who can su as well.

I've applied this in my local copy, pending any objections:

Index: group.master
===================================================================
--- group.master        (revision 715)
+++ group.master        (revision 716)
@@ -9,6 +9,7 @@
 mail:*:8:
 news:*:9:
 uucp:*:10:
+man:*:12:
 proxy:*:13:
 kmem:*:15:
 dialout:*:20:
Index: passwd.master
===================================================================
--- passwd.master       (revision 715)
+++ passwd.master       (revision 716)
@@ -2,9 +2,9 @@
 daemon:*:1:1:daemon:/usr/sbin:/bin/sh
 bin:*:2:2:bin:/bin:/bin/sh
 sys:*:3:3:sys:/dev:/bin/sh
-sync:*:4:100:sync:/bin:/bin/sync
-games:*:5:100:games:/usr/games:/bin/sh
-man:*:6:100:man:/var/cache/man:/bin/sh
+sync:*:4:65534:sync:/bin:/bin/sync
+games:*:5:60:games:/usr/games:/bin/sh
+man:*:6:12:man:/var/cache/man:/bin/sh
 lp:*:7:7:lp:/var/spool/lpd:/bin/sh
 mail:*:8:8:mail:/var/mail:/bin/sh
 news:*:9:9:news:/var/spool/news:/bin/sh

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>, base-passwd@packages.qa.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Russell Coker <russell@coker.com.au>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>, base-passwd@packages.qa.debian.org. Full text and rfc822 format available.

Message #97 received at 25882@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: Colin Watson <cjwatson@debian.org>
Cc: debian-devel@lists.debian.org, 25882@bugs.debian.org
Subject: Re: The 'users' gid: sync, games, and man
Date: Tue, 11 Feb 2003 13:23:49 +0100
On Tue, 11 Feb 2003 11:17, Colin Watson wrote:
> +games:*:5:60:games:/usr/games:/bin/sh
> +man:*:6:12:man:/var/cache/man:/bin/sh

That is good apart from one thing.  I don't think that there is any good 
reason for giving a login shell for "games" or "man".  No-one should ever 
login to those accounts in a normal setup and therefore the default shell 
should be /bin/false.

There have been a number of security holes that would work if you give such 
accounts a shell of /bin/sh but which would not work if the shell was 
/bin/false.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page




Information forwarded to debian-bugs-dist@lists.debian.org, base-passwd@packages.qa.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to base-passwd@packages.qa.debian.org. Full text and rfc822 format available.

Message #102 received at 25882@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: debian-devel@lists.debian.org, 25882@bugs.debian.org
Subject: Re: Bug#25882: The 'users' gid: sync, games, and man
Date: Tue, 11 Feb 2003 13:25:14 +0000
On Tue, Feb 11, 2003 at 01:23:49PM +0100, Russell Coker wrote:
> On Tue, 11 Feb 2003 11:17, Colin Watson wrote:
> > +games:*:5:60:games:/usr/games:/bin/sh
> > +man:*:6:12:man:/var/cache/man:/bin/sh
> 
> That is good apart from one thing.  I don't think that there is any good 
> reason for giving a login shell for "games" or "man".  No-one should ever 
> login to those accounts in a normal setup and therefore the default shell 
> should be /bin/false.

Agreed. However, that's entirely separate from this bug, so let's please
keep it separate. I thought you'd filed it as a bug against base-passwd
already, although it seems not. I was aware of it, though.

I'm somewhat concerned about the effect that changing man's shell to
/bin/false would have on people who didn't accept woody's conffile
changes to /etc/cron.*/man-db to use start-stop-daemon instead of su
(trust me, there will be plenty of these people), not to mention that I
frequently suggest that people run 'mandb -d' as the man user in order
to narrow down bug reports. I suppose I'll have to start telling them to
run 'su -s /bin/sh -c "mandb -d" - man' as root, or some such.

It's a shame that we don't have a better way to run a program as another
user. su generates syslog entries and requires a valid shell in
/etc/passwd unless you use -s. start-stop-daemon hits my overkill button
every time I see it used for this, it needs strange hacks like
'--pidfile /dev/null' to run programs that aren't daemons, and its
command lines tend to be rather long. sudo isn't in the base system and
it requires special configuration. I'd like something that has roughly
sudo's argument syntax but authenticates like su.

[Please direct replies away from 25882@bugs.debian.org; this is no
longer relevant to it.]

-- 
Colin Watson                                  [cjwatson@flatline.org.uk]



Information forwarded to debian-bugs-dist@lists.debian.org, Colin Watson <cjwatson@debian.org>:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Jason Cormie <jason@wormwood666.demon.co.uk>:
Extra info received and forwarded to list. Copy sent to Colin Watson <cjwatson@debian.org>. Full text and rfc822 format available.

Message #107 received at 25882@bugs.debian.org (full text, mbox):

From: Jason Cormie <jason@wormwood666.demon.co.uk>
To: Debian Bug Tracking System <25882@bugs.debian.org>
Subject: base-passwd: Bug already "fixed"
Date: Sun, 04 May 2008 23:24:34 +0100
Package: base-passwd
Followup-For: Bug #25882


according to my passwd file group 100 is no longer used as described
previously.

sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh

Since this bug first was reported normals users now get generated from
1000 and each of the previously mentioned accounts either have their own
group or are assigned to nogroup

I think this bug should be closed

-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.24-1-amd64 (SMP w/1 CPU core)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages base-passwd depends on:
ii  libc6                         2.7-10     GNU C Library: Shared libraries

base-passwd recommends no packages.

-- debconf-show failed

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#25882; Package base-passwd. Full text and rfc822 format available.

Acknowledgement sent to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #112 received at 25882@bugs.debian.org (full text, mbox):

From: Colin Watson <cjwatson@debian.org>
To: Jason Cormie <jason@wormwood666.demon.co.uk>, 25882@bugs.debian.org
Subject: Re: Bug#25882: base-passwd: Bug already "fixed"
Date: Mon, 5 May 2008 00:07:35 +0100
On Sun, May 04, 2008 at 11:24:34PM +0100, Jason Cormie wrote:
> according to my passwd file group 100 is no longer used as described
> previously.
> 
> sync:x:4:65534:sync:/bin:/bin/sync
> games:x:5:60:games:/usr/games:/bin/sh
> man:x:6:12:man:/var/cache/man:/bin/sh
> 
> Since this bug first was reported normals users now get generated from
> 1000 and each of the previously mentioned accounts either have their own
> group or are assigned to nogroup
> 
> I think this bug should be closed

Speaking as the package maintainer, please leave this bug open. While it
is true that no global static users use gid 100 any more, the gid still
exists and ultimately should be changed to 99 at least for new
installations.

  $ getent group 100
  users:x:100:

Cheers,

-- 
Colin Watson                                       [cjwatson@debian.org]




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 04:33:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.