Ticket #872 (closed defect: fixed)

Opened 2 years ago

Last modified 1 year ago

Verify shows change when duplicate UID used

Reported by: archie Assigned to: RpmTickets Priority: minor Milestone: rpm-4.12.0 Component: rpm Version: RPM Development Keywords: Cc:

Description

On a system where:

• Two different usernames 'aaa' and 'bbb' are associated with the same UID 1234
• A package is installed with a file 'foo' owned by user 'aaa' in the package manifest

Then rpm -V will (sometimes?) incorrectly report a changed user for 'foo' from 'aaa' to 'bbb'.

As we all know, file ownership in Linux is by UID, not username, so rpm is doing a reverse lookup from UID to username (probably using getpwnam(3)) and (perhaps by chance) getting the wrong answer ('bbb' instead of 'aaa') and then reporting this as a change, when in fact there is no change.

The rpm verify algorithm for user (and similarly group) ownership should instead be:

1. Determine the UID associated with the installed file
2. Lookup the username corresponding to that UID (using getpwuid(3) etc)
3. Compare that with the username in the package manifest

Change History

06/05/14 04:59:12 changed by pmatilai

• status changed from new to closed.
• resolution set to invalid.

If duplicate UIDs are present on the system then what getpwuid() returns is just as much by chance as with getpwnam(), there's no abolute right or wrong at that point.

06/06/14 09:51:59 changed by pmatilai

• status changed from closed to reopened.
• resolution deleted.

Reopening as per http://lists.rpm.org/pipermail/rpm-maint/2014-June/003700.html

06/06/14 10:01:42 changed by pmatilai

• status changed from reopened to closed.
• resolution set to fixed.

...and close as fixed as per https://rpm.org/gitweb?p=rpm.git;a=commitdiff;h=348eea3a4151b1dbe6f9976ef50cd7ba3820fa79

Whether the former behavior was downright incorrect is perhaps debatable

• verification showing change when the actual entries did not change seems buggy but then duplicate uids/users can be considered inconsistent system state, calling for investigation. With the above commit rpm now warns about duplicates but passes the verification in these cases.

06/06/14 14:02:43 changed by archie

Thanks.

Just to correct the record, the original description of what the algorithm "should be" was wrong. It should have stated:

1. Determine the UID of the installed file
2. Determine the UID of the username that is supposed to own the file
3. Compare steps 1 and 2 for equality

09/16/14 11:06:41 changed by pmatilai

• milestone set to rpm-4.12.0.