From jmaslak@w3.wind-river.com  Sun Dec 28 23:11:58 1997
Received: from w3.wind-river.com (w3.wind-river.com [204.229.180.16])
          by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id XAA13675
          for <FreeBSD-gnats-submit@freebsd.org>; Sun, 28 Dec 1997 23:11:57 -0800 (PST)
          (envelope-from jmaslak@w3.wind-river.com)
Received: (from jmaslak@localhost)
	by w3.wind-river.com (8.8.6/8.8.6) id AAA22995;
	Mon, 29 Dec 1997 00:16:27 -0700 (MST)
Message-Id: <199712290716.AAA22995@w3.wind-river.com>
Date: Mon, 29 Dec 1997 00:16:27 -0700 (MST)
From: Joel Maslak <jmaslak@w3.wind-river.com>
Reply-To: jmaslak@w3.wind-river.com
To: FreeBSD-gnats-submit@freebsd.org
Subject: adduser is deleting users
X-Send-Pr-Version: 3.2

>Number:         5394
>Category:       bin
>Synopsis:       adduser is DELETING users
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Dec 28 23:20:02 PST 1997
>Closed-Date:    Thu Jan 1 16:43:01 MET 1998
>Last-Modified:  Thu Jan  1 16:43:31 MET 1998
>Originator:     Joel Maslak
>Release:        FreeBSD 2.2.5-RELEASE i386
>Organization:
Black Fire Productions
>Environment:

	FreeBSD 2.2.5 server, upgraded from 2.2-CURRENT machine.
	Password file used to be a Linux password file.

>Description:

	Added a user to /etc/passwd by using /usr/sbin/adduser.
	Adding user deleted all user ids above added user (user was
	added as ID 1000, a user which already existed on the system)
	(I wasn't watching the screen very closely -- opps)

	Said mildly, I was concerned about this.  I'm investigating
	possible security breach. (comparing to other FreeBSD machines
	with MD5)

>How-To-Repeat:

	I don't know.  Sorry.

>Fix:
	
	backups...  (temporary workaround was to crash the machine,
	as I was logged in remotely and attempts to gain root failed)
>Release-Note:
>Audit-Trail:

From: Wolfram Schneider <wosch@cs.tu-berlin.de>
To: jmaslak@w3.wind-river.com
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/5394: adduser is deleting users
Date: 29 Dec 1997 14:12:05 +0100

 Joel Maslak <jmaslak@w3.wind-river.com> writes:
 > 	FreeBSD 2.2.5 server, upgraded from 2.2-CURRENT machine.
 > 	Password file used to be a Linux password file.
                                    ^^^^^^^^^^^^^^
 Oh ...
 
 > >Description:
 > 	Added a user to /etc/passwd by using /usr/sbin/adduser.
 > 	Adding user deleted all user ids above added user (user was
 > 	added as ID 1000, a user which already existed on the system)
 > 	(I wasn't watching the screen very closely -- opps)
 
 Adduser appends only entries to /etc/master.passwd. /etc/passwd is a
 dummy file, created by pwd_mkdb -p. DO NOT EDIT /etc/passwd! It will
 be overwritten every time you (or someone else) add/delete/change a
 user.
 
 Adduser does not accept ID for new users which already in use.
 
 -- 
 Wolfram Schneider   <wosch@freebsd.org>   http://www.freebsd.org/~wosch/
State-Changed-From-To: open->closed 
State-Changed-By: joerg 
State-Changed-When: Thu Jan 1 16:43:01 MET 1998 
State-Changed-Why:  

See the audit-trail, the master is /etc/master.passwd. 
>Unformatted:
