[Bug 192138] New: pw useradd and pw groupadd existence check races

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Sat Jul 26 17:27:23 UTC 2014 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=192138

            Bug ID: 192138
           Summary: pw useradd and pw groupadd existence check races
           Product: Base System
           Version: 10.0-STABLE
          Hardware: Any
                OS: Any
            Status: Needs Triage
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: sheets at alum.mit.edu

pw useradd has a race between checking if the username is already in use and
updating the pw database:

getpwnam check
<https://svnweb.freebsd.org/base/head/usr.sbin/pw/pw_user.c?revision=267970&view=markup#l602>

addpwent
<https://svnweb.freebsd.org/base/head/usr.sbin/pw/pw_user.c?revision=267970&view=markup#l712>
with useless return value check

pw_update without check or nonzero return inside of lock
<https://svnweb.freebsd.org/base/head/usr.sbin/pw/pwupd.c?revision=267670&view=markup#l126>

pw groupadd has a race between checking if the groupname is already in use and
updating the gr database:

getgrnam check
<https://svnweb.freebsd.org/base/head/usr.sbin/pw/pw_group.c?revision=262864&view=markup#l102>

addgrent
<https://svnweb.freebsd.org/base/head/usr.sbin/pw/pw_group.c?revision=262864&view=markup#l260>
with useless return value check

gr_update without check or nonzero return inside of lock
<https://svnweb.freebsd.org/base/head/usr.sbin/pw/grupd.c?revision=243898&view=markup#l71>

This race is exhibited when multiple processes attempt to use the error return
code of useradd/groupadd to indicate whether they have successfully created a
unique user for themselves. If the race occurs, the uid/gid of the database
entry may change out from under the first successful process as the second
process finds an unused uid/gid and then updates the database using the same
key (but the new uid/gid).

I don't believe this bug is a security vulnerability except in contexts where
attackers may have control over user/group creation by applications assuming
that the database locks ensure non-collision.

pw useradd/groupadd should either consistently let the operator overwrite
existing groups/users or should consistently produce a name collision error

pw groupadd/useradd sometimes exits due to a name collision and sometimes
overwrites existing groups/users

-- 
You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list