Skip to content

useradd: Do not automatically add supplements groups for system users #1156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ikerexxe merged 5 commits into from
Nov 26, 2025
Merged

useradd: Do not automatically add supplements groups for system users #1156

ikerexxe merged 5 commits into from
Nov 26, 2025

Conversation

@SgAkErRu
Copy link
Contributor

@SgAkErRu SgAkErRu commented Dec 16, 2024
edited
Loading

Do not automatically add supplements groups for system users that is created via the -r flag.

Before this change, groups from the GROUPS parameter from the /etc/default/useradd file were automatically added for the system user, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Related to: #586

@alejandro-colomar
Copy link
Collaborator

alejandro-colomar commented Dec 17, 2024
edited
Loading

Could you please explain why we want this?

Isn't this another way of having an empty GROUPS list? Why not have an empty GROUPS list instead? (I'm not sure I liked the GROUPS list in the first place.)

@SgAkErRu
Copy link
Contributor Author

SgAkErRu commented Dec 17, 2024

Could you please explain why we want this?

Isn't this another way of having an empty GROUPS list? Why not have an empty GROUPS list instead? (I'm not sure I liked the GROUPS list in the first place.)

GROUPS allows maintainers to set a list of additional (supplementary) default groups, for example users, dialout, audio, serial and so on.

Or, for example, only users, which is then expanded through the libnss-role, i.e. these groups (dialout, audio, serial) are added through libnss-role to those users who are in the users group.

But at this moment, it works so that when creating a system user via useradd --system or useradd -r, these groups are also added to it, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Therefore, this new option was created, which allows maintainers to disable auto-addition of additional groups for system users.

alejandro-colomar
alejandro-colomar reviewed Dec 17, 2024
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Dec 17, 2024
View reviewed changes
alejandro-colomar
alejandro-colomar reviewed Dec 17, 2024
View reviewed changes
@ikerexxe
Copy link
Collaborator

ikerexxe commented Dec 17, 2024

But at this moment, it works so that when creating a system user via useradd --system or useradd -r, these groups are also added to it, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Since you are the original author of this functionality and you don't know the case, why don't you filter the group membership addition for non-system users instead of creating a new option? I think that would be the most sensible approach.

@SgAkErRu
Copy link
Contributor Author

SgAkErRu commented Dec 17, 2024
edited
Loading

But at this moment, it works so that when creating a system user via useradd --system or useradd -r, these groups are also added to it, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Since you are the original author of this functionality and you don't know the case, why don't you filter the group membership addition for non-system users instead of creating a new option? I think that would be the most sensible approach.

Because I am not original author of this functionality.

So, that's why I suggest this option, which will keep the possibility of the original behavior (when these groups automatically adds to system users).

P.S But in general, with the option, it seems to me a more flexible.

I mean, the GROUPS feature itself with SYS_USER_AUTO_GROUPS_ENAB enabled will be like a complete alternative to specifying default supplementary groups using -G.

@ikerexxe
Copy link
Collaborator

ikerexxe commented Dec 17, 2024

Because I am not original author of this functionality.

Ups sorry, I have mixed up the names.

@AZaugg any opinion on the following topic?

But at this moment, it works so that when creating a system user via useradd --system or useradd -r, these groups are also added to it, which is most often undesirable (more precisely, I do not even know the case when it would be necessary).

Since you are the original author of this functionality and you don't know the case, why don't you filter the group membership addition for non-system users instead of creating a new option? I think that would be the most sensible approach.

@SgAkErRu SgAkErRu force-pushed the useradd-sys-user-auto-groups-option branch from f8867a7 to cea62ec Compare December 17, 2024 15:44
alejandro-colomar
alejandro-colomar reviewed Dec 17, 2024
View reviewed changes
@SgAkErRu SgAkErRu force-pushed the useradd-sys-user-auto-groups-option branch from cea62ec to 020334c Compare December 17, 2024 15:56
alejandro-colomar
alejandro-colomar reviewed Dec 17, 2024
View reviewed changes
@SgAkErRu SgAkErRu force-pushed the useradd-sys-user-auto-groups-option branch from 020334c to d4cf7a6 Compare December 18, 2024 08:33
@SgAkErRu
Copy link
Contributor Author

SgAkErRu commented Oct 15, 2025

@ikerexxe Hi! I can redo this PR as you suggested (filter the group membership addition for non-system users instead of creating a new option) - since the author @AZaugg of the original change has not expressed any objections for quite a long time.

@ikerexxe
Copy link
Collaborator

ikerexxe commented Oct 16, 2025

@SgAkErRu yes, go ahead

@SgAkErRu SgAkErRu force-pushed the useradd-sys-user-auto-groups-option branch from d4cf7a6 to f24813a Compare November 11, 2025 20:19
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 11, 2025
View reviewed changes
@SgAkErRu SgAkErRu force-pushed the useradd-sys-user-auto-groups-option branch from f24813a to e66eb7f Compare November 11, 2025 20:22
@SgAkErRu SgAkErRu changed the title useradd: SYS_USER_AUTO_GROUPS_ENAB option useradd: Do not automatically add supplements groups for system users Nov 11, 2025
@SgAkErRu
Copy link
Contributor Author

SgAkErRu commented Nov 11, 2025

@ikerexxe

@SgAkErRu yes, go ahead

Done

ikerexxe
ikerexxe requested changes Nov 18, 2025
View reviewed changes
Copy link
Collaborator

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current implementation contains a flaw. The grp_add() function also sets do_grp_update = true in line 1950. That function is called when useradd is called with -U flag. That means that if a user is created with -U and without -G flags, then the logic you implemented will be executed. That's an undesired execution and it will leave some users without their default supplementary groups.

In addition, I added an inline comment. Probably the end code won't look like that once you fix the aforementioned flaw but it should be something similar.

Finally, one of the commits mentions useradd: fix test 69_useradd_default_GROUPS_name, what is it exactly you are fixing? I'm assuming you are adapting to the new GROUPS behaviour you are trying to implement, but I'd make it more obvious in the commit message.

@SgAkErRu
Copy link
Contributor Author

SgAkErRu commented Nov 18, 2025

The current implementation contains a flaw. The grp_add() function also sets do_grp_update = true in line 1950. That function is called when useradd is called with -U flag. That means that if a user is created with -U and without -G flags, then the logic you implemented will be executed. That's an undesired execution and it will leave some users without their default supplementary groups.

But the new code check do_grp_update and sets do_grp_update = false inside the process_flags() function, which is called in main() BEFORE calling the grp_add() when the -U flag is set.

So, the new code check do_grp_update, which was changed to true inside the get_defaults function for the GROUPS variable case, and based on the order in which commands are executed, it should not conflict with this logic with -U flag.

Or am I wrong?

@SgAkErRu
Copy link
Contributor Author

SgAkErRu commented Nov 18, 2025

Finally, one of the commits mentions useradd: fix test 69_useradd_default_GROUPS_name, what is it exactly you are fixing? I'm assuming you are adapting to the new GROUPS behaviour you are trying to implement, but I'd make it more obvious in the commit message.

No, the behavior of the test itself does not change in any way and does not adapt to the current PR, because the current PR does not change the behavior for the regular user, only for the system user. And a new test number 70 has been created for the system user.

The corrections are visible in the commit itself:

  1. Missing files have been added for the test to work: gshadow, passwd, shadow. Without them, the foo user was created with a different UID and thus the test failed.

  2. Added an empty line at the end of the file in config/group

  3. The extra space at the beginning of the file in data/group was removed and an empty line was added at the end of the file. That extra space also led to a test failure due to a mismatch between the initial line of the group file in the data and config subfolders.

  4. Fixed a typo in the log message in useradd.test

If necessary, I can add this information to the description of the commit.

@ikerexxe
Copy link
Collaborator

ikerexxe commented Nov 25, 2025

Or am I wrong?

No, you are right. I must have misunderstood something but checking it again it behaves as you specified.

1. Missing files have been added for the test to work: `gshadow`, `passwd`, `shadow`. Without them, the foo user was created with a different UID and thus the test failed.

2. Added an empty line at the end of the file in `config/group`

3. The extra space at the beginning of the file in `data/group` was removed and an empty line was added at the end of the file. That extra space also led to a test failure due to a mismatch between the initial line of the `group` file in the data and config subfolders.

4. Fixed a typo in the log message in `useradd.test`

If necessary, I can add this information to the description of the commit.

Please mention 1 and you can merge 2, 3 and 4 with minor improvements or something like similar.

@SgAkErRu
src/useradd.c: Do not automatically add supplements groups for system…
1c603c0 
… users
@SgAkErRu
useradd: fix test 69_useradd_default_GROUPS_name
9a098e5 
Missing files have been added for the test to work: `gshadow`, `passwd`, `shadow`.
Without them, the foo user was created with a different UID and thus the test failed.

And other minor improvements, such as removing extra spaces and adding empty lines.
@SgAkErRu
useradd: tests for supplements groups
c408dcd 
For regular and system user cases
@SgAkErRu SgAkErRu force-pushed the useradd-sys-user-auto-groups-option branch from e66eb7f to c408dcd Compare November 25, 2025 12:53
ikerexxe
ikerexxe approved these changes Nov 26, 2025
View reviewed changes
Copy link
Collaborator

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thank you for the patches

@ikerexxe ikerexxe merged commit 6134359 into shadow-maint:master Nov 26, 2025
17 of 20 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alejandro-colomar alejandro-colomar alejandro-colomar left review comments

@ikerexxe ikerexxe ikerexxe approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@SgAkErRu @alejandro-colomar @ikerexxe