Debian Bug report logs - #64806
adduser: adduser creates sgid home directories, for no discernable reason

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joey@kitenet.net>

To: submit@bugs.debian.org

Subject: adduser: adduser creates sgid home directories, for no discernable reason

Date: Sat, 27 May 2000 19:32:17 -0700 (PDT)

Package: adduser
Version: 3.11.1
Severity: normal

root@kite:/home>adduser foo
Adding user foo...
Adding new group foo (1012).
Adding new user foo (1012) with group foo.
Creating home directory /home/foo.
Copying files from /etc/skel
Enter new UNIX password: 
zsh: suspended  adduser foo
root@kite:/home>ls -ld foo
drwxr-sr-x    2 foo      foo          1024 May 27 18:47 foo/
      ^
My bug report revolves around the question of why that bit is set. It seems
to have no discernable purpose. I asked about it on debian devel, and the
best theory I got was this from Nathan E Norman:

   As far as I can tell, they ease the above setup (shared sgid
   directories) for the newbie.  Observe:

   : nnorman@canaris:~ $ ll -d ~
   : drwxr-sr-x   32 nnorman  nnorman      4096 May 24 16:24 /home/nnorman/
   : nnorman@canaris:~ $ mkdir test
   : nnorman@canaris:~ $ rmdir test
   :  nnorman@canaris:~ $ ls -ld ~
   : drwxr-sr-x   32 nnorman  nnorman      4096 May 24 16:24 /home/nnorman/
   : nnorman@canaris:~ $ mkdir test
   : nnorman@canaris:~ $ ls -ld test
   : drwxrwsr-x    2 nnorman  nnorman      4096 May 24 16:25 test/
   : nnorman@canaris:~ $ chgrp mp3 test
   : nnorman@canaris:~ $ ls -ld test
   : drwxrwsr-x    2 nnorman  mp3          4096 May 24 16:25 test/
   : nnorman@canaris:~ $ touch test/testfile
   : nnorman@canaris:~ $ ls -l test/testfile
   : -rw-rw-r--    1 nnorman  mp3             0 May 24 16:25 test/testfile

   Other than changing group ownership on directory "test". I didn't have
   to change any attribute of that directory.  Granted, "chmod 2775 test"
   or "chmod g+s test" would work fine, but most new users seem to have
   severe problems with suid/sgid bits, and since they fear them they
   don't use them.

   A weak argument to be sure, but it's the only benefit I can see :)

On the minus side of the tally sheet, sgid home directories have broken alien
and dpkg-repack, causing them to get file permissions wrong (these problems are
now fixed, but I felt I was hacking around something in doing so). More generally,
sgid home directories make it more difficult to make a directory under your home,
untar a tarball into that directory, and then tar it back up, with the permissions
preserved. I think that's a pretty big minus! I think it violates the principle of
least suprise.

I tried to find some documentation in adduser about why it does this, and failed.
(So at the very least, this is a documentation bug).

Looking at the code, a directory is only created mode 2755 is $make_group_also is
set. Since I am not passing --group, it must be being set by this (confirmed in
a debugger):

        if ($config{"usergroups"} eq "yes") { $make_group_also = 1; }

I also found this in the changelog:

  * /etc/skel can deal with symlinks.  directories are g+s if usergroups=yes.

 -- Guy Maor <maor@ece.utexas.edu>  Sat, 17 May 1997 12:21:46 -0500

-- System Information
Debian Release: 2.2
Kernel Version: Linux kite 2.2.14 #1 Mon Jan 10 21:43:42 PST 2000 i686 unknown

Versions of the packages adduser depends on:
ii  passwd          19990827-20     Change and administer password and group data.

Message #10 received at 64806-close@bugs.debian.org (full text, mbox, reply):

From: Roland Bauerschmidt <rb@debian.org>

To: 64806-close@bugs.debian.org

Subject: Bug#64806: fixed in adduser 3.13

Date: Sun, 04 Jun 2000 14:52:09 -0400

We believe that the bug you reported is fixed in the latest version of
adduser, which has been installed in the Debian FTP archive:
adduser_3.13.tar.gz
  to dists/woody/main/source/base/adduser_3.13.tar.gz
  replacing adduser_3.12.tar.gz
adduser_3.13.dsc
  to dists/woody/main/source/base/adduser_3.13.dsc
  replacing adduser_3.12.dsc
adduser_3.13_all.deb
  to dists/woody/main/binary-all/base/adduser_3.13.deb
  replacing adduser_3.12.deb

Note that this package is not part of the released stable Debian
distribution.  It may have dependencies on other unreleased software,
or other instabilities.  Please take care if you wish to install it.
The update will eventually make its way into the next released Debian
distribution.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 64806@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Bauerschmidt <rb@debian.org> (supplier of updated adduser package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.6
Date: Sat, 04 Jun 2000 17:13:51 +0200
Source: adduser
Binary: adduser
Architecture: source all
Version: 3.13
Distribution: unstable
Urgency: low
Maintainer: Roland Bauerschmidt <rb@debian.org>
Description: 
 adduser    - Add and remove users and groups to resp. from the system.
Closes: 44902 46836 52048 52508 53912 64806
Changes: 
 adduser (3.13) unstable; urgency=low
 .
   * Merged seperate .po-files for adduser and deluser into one
   * Added Brazilian translation for adduser (closes: #53912), thanks to
     Cesar Eduardo Barros <cesarb@web4u.com.br>
   * Added Spanish translation for adduser and deluser (closes: #44902),
     thanks to Nicolás Lichtmaier <nick@debian.org>
   * Added Korean translation for adduser (closes: #46836), thanks to
     Changwoo Ryu <cwryu@adam.kaist.ac.kr>
   * Worked patch from #52048 into adduser (closes: #52048)
   * Added deluser in SEE ALSO section of adduser's manpage (closes: #52508)
   * Don't create home directories for users with their own group per
     default setgid because this has some bad side effects. Can be set in
     /etc/adduser.conf with SETGID_HOME=yes (closes: #64806)
   * Started TODO list for all the things that still have to be done....
Files: 
 d3ff605653a29ffedaac02364ccbd126 497 base required adduser_3.13.dsc
 246af0c163f1631a6ec043caf41c3d44 28780 base required adduser_3.13.tar.gz
 5dec713f7ba2db48c798c1dc5c994e2f 30888 base required adduser_3.13_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE5OkliDpXnNan6F/8RAlgsAKCHr3DwDoDkrrMpIJ451buSvF0g3QCdFCW4
XMb5SAapHkP5W1Vq8+f5i6s=
=CbFt
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.