Ubuntu – Is There A Security Risk With Users That Are Also Groups

Securityusers

I know a little about users and groups; in the past I might have had a group like 'DBAS' or 'ADMINS' and I'd add individual users to each group…

But I was surprised to learn I could add users to other users – as if they were groups.

For example if my /etc/group contained the following:

user1:x:12501:
user2:x:12502:user1
admin:x:123:user2,jim,bob

Since user2 is a member of the admin group, and user1 is a member of user2 – is user1 effectively an admin? If the admin group is in the sudoers file, can user1 use it as well?

I've tried to simulate this and I haven't been able to do so as user1…but I'm not sure it's impossible.

EDIT: SORRY – updated error in question.

Best Answer

In your example you:

Have the user user1 as a part of the group user2.
Have the user user2 as a part of the group admin.

The user user1 is distinct from the group user1.

Since (the user) user2 is a member of the admin group, and (the user) user1 is a member of (the group) user2 - is user1 effectively an admin?

No, the user user2 is a member of the admin group. Not the group user1.

If the admin group is in the sudoers file, can (the user) user2 use it as well?

Yes, just as the other users which are members of the group, jim and bob.

If the admin group is in the sudoers file, can user1 use it as well?

No, since the admin group only consists of users. It has the user user2 in it. Even though the user user1 is part of the group user2. They are different things, but share the same name in this and many distros setup. Groups on one side, users on the other. If the names match, they are still entierly different things.

To sum it up: Separate the user from the group. The names may be the same, but they refer to different entities. In GNU/Linux you do not have groups inside groups, a group can only contain users (which is different from say Windows).

1. Basic approach

I found very useful package for such operation. It is named base-passwd and has the following description:

$ apt-cache show base-passwd   
Package: base-passwd  
...  
Description-en: Debian base system master password and group files  
 These are the canonical master copies of the user database files  
 (/etc/passwd and /etc/group), containing the Debian-allocated user and  
 group IDs. The update-passwd tool is provided to keep the system databases  
 synchronized with these master files.

Master files (in aforementioned terminology) are placed in:

/usr/share/base-passwd/group.master
/usr/share/base-passwd/passwd.master

The package contains only one binary /usr/sbin/update-passwd.
Its purpose is described in man-page (man update-passwd):

DESCRIPTION
update-passwd handles updates of /etc/passwd, /etc/shadow and /etc/group on running Debian systems. It compares the current files to master copies, distributed in the base-passwd package, and updates all entries in the global system range (that is, 0–99).

For the problem from the question we need to run:

sudo update-passwd --sanity-check --verbose

Also you can try to run the simulation (dry-run):

$ sudo update-passwd --sanity-check --verbose --dry-run
Reading passwd from /usr/share/base-passwd/passwd.master
Reading group from /usr/share/base-passwd/group.master
Reading passwd from /etc/passwd
Reading shadow from /etc/shadow
Reading group from /etc/group

Running without arguments will safely update /etc/passwd, /etc/shadow and /etc/group or quit quietly:

$ sudo update-passwd
$ sudo update-passwd --verbose
No changes needed

The utility covers 39 standard groups - adm, audio, backup, bin, cdrom, daemon, dialout, dip, disk, fax, floppy, games, gnats, irc, kmem, list, lp, mail, man, news, nogroup, operator, plugdev, proxy, root, sasl, shadow, src, staff, sudo, sys, tape, tty, users, utmp, uucp, video, voice, www-data.

One can read local documentation about standard groups in /usr/share/doc/base-passwd/users-and-groups.html (or online).

2. Deeper approach

Warning: do not continue if unsure what you are doing or if you are newbie.

Start with

sudo update-passwd --verbose

and then if you have installed other software from repositories and then trashed your /etc/passwd and/or /etc/group you can try to reinstall all such packages with the command based on @muru suggestion:

sudo apt-get install --reinstall \
$(grep -RlE '(getent|useradd|adduser|groupadd|addgroup|chrgp|chmod|gpasswd|usermod)' \
/var/lib/dpkg/info --include='*inst' | sed -r 's:.*/(.*)\.[-a-z]+inst:\1:')

2.1. Broken `/etc/group`

If you have removed entries from /etc/group you will face error messages as

dpkg: unrecoverable fatal error, aborting:
 unknown group 'crontab' in statoverride file
E: Sub-process /usr/bin/dpkg returned an error code (2)

You need to remove corresponding lines from /var/lib/dpkg/statoverride and /etc/passwd then try again with the command above.

Other possible error message is

E: Internal Error, No file name for dbus:amd64

You can fix it by downloading the package manually:

apt-get download dbus
sudo dpkg -i dbus*.deb

and then try again with the command above.

If you have removed systemd-related groups systemd-journal, systemd-timesync, systemd-network, systemd-resolve, systemd-bus-proxy from /etc/group then remove them from /etc/passwd and reinstall systemd package with

sudo apt-get install --reinstall systemd

then try again with the command above

2.2. Broken `/etc/passwd`

If you have removed entries from /etc/passwd you will face error messages as

dpkg: unrecoverable fatal error, aborting:
 unknown user 'hplip' in statoverride file

You need to remove corresponding line from /var/lib/dpkg/statoverride and then try again with the command above.

Best Answer

Related Solutions

Ubuntu – Why are there two users with same name

Ubuntu – How to check that the users and groups are correct

1. Basic approach

2. Deeper approach

2.1. Broken /etc/group

2.2. Broken /etc/passwd

Related Question

2.1. Broken `/etc/group`

2.2. Broken `/etc/passwd`