Ubuntu
shadow package

Xenial's shadow regresses subid allocation logic (wastes uids and gids)

Bug #1545884 reported by Stéphane Graber
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shadow (Ubuntu)
Fix Released
High
Unassigned
Xenial
Fix Released
High
Unassigned

Bug Description

Back in trusty I wrote a patch to shadow which makes sure we only ever allocate a 65k uid/gid map to new users that aren't a system user (no --system flag and not a system uid/gid).

This has regressed recently in Xenial and on a fresh install I found myself with about 15 system users each having 65536 uids and gids allocated to them. That's wasteful and may end up creating accidental collisions when using network authentication.

I have now upstreamed the change we used to have as a distro patch:
   https://github.com/shadow-maint/shadow/pull/12

Brian Murray (brian-murray)
tags: added: xenial
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Hm, near as I can tell debian/patches/1000_configure_userns is still applied in xenial's shadow and has that content.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Also, on my xenial laptop i just added a new user, and got:

xxx:731073:65536

So I'm curious what happened on your host?

Revision history for this message
Stéphane Graber (stgraber) wrote :

root@dakara:~# useradd --system blah

root@dakaracat /etc/subgid
lxd:100000:65536
root:100000:65536
sshd:165536:65536
sbuild:231072:65536
blah:296608:65536

blah most definitely shouldn't be there!

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

I see. The fix for that is not in the upstream PR, though.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Fascinating, src/useradd.c still has

        is_sub_uid = sub_uid_file_present () && !rflg &&
            (!user_id || (user_id <= uid_max && user_id >= uid_min));

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Oh, the bug is that process_flags() is being called after we check for rflg

Revision history for this message
Stéphane Graber (stgraber) wrote :

Oh, did I mess up the upstream fix too then?

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package shadow - 1:4.2-3.1ubuntu3

---------------
shadow (1:4.2-3.1ubuntu3) xenial; urgency=medium

  * d/p/1021_no_subuids_for_system_users.patch: fix the not creating subuids
    for system users. (LP: #1545884)

 -- Serge Hallyn <email address hidden> Wed, 17 Feb 2016 20:57:59 -0800

Changed in shadow (Ubuntu Xenial):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.