Package: opensysusers Version: 0.7.3-2 Severity: grave Tags: security upstream X-Debbugs-Cc: Debian Security Team <[email protected]>
opensysusers doesn't really implement the `--root` option (though it pretends a bit). Functions like `add_group` always access `/etc/group` and use tools like `groupadd`: ```sh grep -q "^$1:" /etc/group || groupadd -r "$1" ``` So they will always modify the host system, even when supposed to operate on some chroot environment. Applying changes intended for some other environment to the host system looks like a potential security issue. AFAIR there are other incompatibilities with systemd-sysusers so that opensysusers should arguably not claim to be a compatible drop-in replacement. Ansgar

