[Rpm-maint] Verify when two usernames use the same UID

Panu Matilainen pmatilai at laiskiainen.org
Fri Jun 6 07:42:00 UTC 2014

On 06/05/2014 07:15 PM, Archie Cobbs wrote:
> I'd like a second opinion from this list on http://rpm.org/ticket/872 which
> was just closed as invalid. I don't agree (and I also don't understand the
> closing comment).
> The issue is that rpm --verify fails 50% of the time when one of the RPM's
> files is owned by a user 'aaa' who happens to share the same UID as another
> user 'bbb', even though the RPM is completely unchanged from its original
> installation. This just seems wrong.
> In UNIX the username -> UID relationship is a many-to-one mapping. Or have
> I been mistaken all these years?
> Simply put, rpm --verify is incorrectly assuming that this relationship is
> one-to-one.
> Either rpm has a bug or I'm missing something very basic...

Rpm has many bugs but I dont think this is one of them.

Pretty much the whole POSIX API assumes username <-> uid relation being 
one-to-one, getpwnam() and getpwuid() have no provisions to return more 
than one entry. What happens when duplicates are present is not 
described in any standard I know of (feel free to educate me if I'm just 
ignorant here) but I'd assume the behavior to be implementation 
dependent at best.

Oh and just FWIW, what you describe in the ticket as the algorithm rpm 
should use is actually exactly what rpm does: it stat()'s the file, 
looks up the the username from st.st_uid and compares that with what is 
stored in the package for that file.

	- Panu -

More information about the Rpm-maint mailing list