Package: opensysusers
Version: 0.7.3-2
Severity: grave
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <[email protected]>

opensysusers doesn't really implement the `--root` option (though it
pretends a bit).  Functions like `add_group` always access
`/etc/group` and use tools like `groupadd`:

```sh
grep -q "^$1:" /etc/group || groupadd -r "$1"
```

So they will always modify the host system, even when supposed to
operate on some chroot environment.

Applying changes intended for some other environment to the host
system looks like a potential security issue.

AFAIR there are other incompatibilities with systemd-sysusers so that
opensysusers should arguably not claim to be a compatible drop-in
replacement.

Ansgar

Reply via email to