Hi Ansgar, On Tue, 07 Nov 2023 19:38:25 +0100 Ansgar <ans...@debian.org> wrote: > opensysusers doesn't really implement the `--root` option (though it > pretends a bit). Functions like `add_group` always access > `/etc/group` and use tools like `groupadd`: > > ```sh > grep -q "^$1:" /etc/group || groupadd -r "$1" > ``` > > So they will always modify the host system, even when supposed to > operate on some chroot environment. > > Applying changes intended for some other environment to the host > system looks like a potential security issue.
Thanks for the report, I wasn't aware of this issue and I agree with you that yeah, this can be a security issue, and quite an unexpeted behaviour. How do you think this should be handled? opensysusers is pretty much dead upstream (they accept patches, but the Artix Linux community isn't working on it anymore), so I don't expect them to fix this bug. I'll report it though. Still, groupadd and useradd support a "--root" option which seems to do exactly what we need here, so writing a patch to fix the issue looks reasonable. I'm not sure how to test such patch though. > AFAIR there are other incompatibilities with systemd-sysusers so that > opensysusers should arguably not claim to be a compatible drop-in > replacement. This has been discussed both recently and some years ago, and while using opensysusers as a drop-in replacement seemed appropriate in the past, I don't think it still is *that* compelling, not because using a systemd-sysusers alternative doesn't make sense (I have personally worked to develop one in the past), but because opensysusers is Linux-only, and it can be used in the same exact scenarios as the standalone version of systemd-sysusers, so from a technical point of view I don't really see opensysusers' usefulness anymore (a standalone version of systemd-sysusers hasn't always existed). You could say that opensysusers is "more secure" because it isn't written in C, but the sh scripting language isn't exactly that secure compared to e.g. Rust or Go. In conclusion, I'm still not sure what the best thing to do right now is. For now, I'll limit myself at fixing this bug. Thanks again! Bye :)
