Your message dated Mon, 16 Sep 2024 12:20:56 +0200
with message-id <[email protected]>
and subject line opensysusers/0.7.3-3: Wrong closed bug
has caused the Debian Bug report #1055517,
regarding opensysusers: modifies host system instead of target environment
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1055517: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055517
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: opensysusers
Version: 0.7.3-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>
opensysusers doesn't really implement the `--root` option (though it
pretends a bit). Functions like `add_group` always access
`/etc/group` and use tools like `groupadd`:
```sh
grep -q "^$1:" /etc/group || groupadd -r "$1"
```
So they will always modify the host system, even when supposed to
operate on some chroot environment.
Applying changes intended for some other environment to the host
system looks like a potential security issue.
AFAIR there are other incompatibilities with systemd-sysusers so that
opensysusers should arguably not claim to be a compatible drop-in
replacement.
Ansgar
--- End Message ---
--- Begin Message ---
Version: opensysusers/0.7.3-3
Control: reopen 1055777
Ops, version 0.7.3-3 closed bug #1055517, not #1055777. Guess you
shouldn't try fixing critical bugs at 1 am...
signature.asc
Description: PGP signature
--- End Message ---