From nobody  Fri Aug 22 10:26:20 1997
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id KAA20794;
          Fri, 22 Aug 1997 10:26:20 -0700 (PDT)
Message-Id: <199708221726.KAA20794@hub.freebsd.org>
Date: Fri, 22 Aug 1997 10:26:20 -0700 (PDT)
From: agonzalez@globalpc.net
To: freebsd-gnats-submit@freebsd.org
Subject: bug in adduser script causes duplicate UIDs
X-Send-Pr-Version: www-1.0

>Number:         4357
>Category:       bin
>Synopsis:       bug in adduser script causes duplicate UIDs
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    mtm
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Aug 22 10:30:00 PDT 1997
>Closed-Date:    Sat Feb 22 14:30:07 PST 2003
>Last-Modified:  Sat Feb 22 14:30:07 PST 2003
>Originator:     Adrian Gonzalez
>Release:        2.2.2-Release
>Organization:
Global PCNet
>Environment:
FreeBSD nlaredo.globalpc.net 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #0: Thu Aug  7
13:56:15 CDT 1997     root@nlaredo.globalpc.net:/usr/src/sys/compile/LOCAL  i386

>Description:
While adding a user the other day, I noticed that if somebody else
started another adduser script before I finished adding the current
user, both would get assigned the same UID.  Now, technically, this is
not a bug, since the script asks you which UID you want to use,
however, it would be quite hard to guess if somebody else is adding a
user and what UID they're using.
>How-To-Repeat:
Run the adduser script and start answering the questions.  Try adding
a dumb user (test1) and get to the point where it asks for the UID.
When you get there, start an adduser script from another session and
add another dumb user (test2).  When you get to the UID prompt, you
will get the same UID for this user.  If you go through and add the
users, the script will happily add the two users with the same UID.
>Fix:
My suggestion would be to lock the password file from the beginning
of the script and notify the user if it can't get a lock.  That way
there can only be one adduser script running at any given time.

Looking at the script, however, this does not seem like a good idea.
It uses a subroutine called 'append_file' that takes care of the
locking while appending a line to a file.  Personally, I'm going to
do the pw file lock at the beginning, and make a modified append_file
routine specifically for the password file (which will already be
locked).  Hopefully, the author will come up with a 'cleaner'
solution later on :)

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->wosch 
Responsible-Changed-By: wosch 
Responsible-Changed-When: Tue Aug 26 09:42:36 PDT 1997 
Responsible-Changed-Why:  
Adduser is my area. 
Responsible-Changed-From-To: wosch->freebsd-bugs 
Responsible-Changed-By: wosch 
Responsible-Changed-When: Sun Jan 13 03:55:51 PST 2002 
Responsible-Changed-Why:  
I'm no longer the maintainer of adduser. 

http://www.FreeBSD.org/cgi/query-pr.cgi?pr=4357 
Responsible-Changed-From-To: freebsd-bugs->mtm 
Responsible-Changed-By: johan 
Responsible-Changed-When: Sat Feb 22 06:10:12 PST 2003 
Responsible-Changed-Why:  
Over to adduser.sh author. This report was for the old 
adduser perl script but it is still a problem with 
the new sh script. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=4357 
State-Changed-From-To: open->closed 
State-Changed-By: mtm 
State-Changed-When: Sat Feb 22 14:25:20 PST 2003 
State-Changed-Why:  
This is no longer a problem. 
The script automatically checks to ensure that any uid it 
is given does not allready exist. Should a conflicting uid 
be created between the time it does the check and when it 
gets around to adding it, the duplicate will be rejected by pw(8). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=4357 
>Unformatted:
