[Rpm-maint] Verify when two usernames use the same UID
Panu Matilainen
pmatilai at laiskiainen.org
Fri Jun 6 07:42:00 UTC 2014
On 06/05/2014 07:15 PM, Archie Cobbs wrote:
> I'd like a second opinion from this list on http://rpm.org/ticket/872 which
> was just closed as invalid. I don't agree (and I also don't understand the
> closing comment).
>
> The issue is that rpm --verify fails 50% of the time when one of the RPM's
> files is owned by a user 'aaa' who happens to share the same UID as another
> user 'bbb', even though the RPM is completely unchanged from its original
> installation. This just seems wrong.
>
> In UNIX the username -> UID relationship is a many-to-one mapping. Or have
> I been mistaken all these years?
>
> Simply put, rpm --verify is incorrectly assuming that this relationship is
> one-to-one.
>
> Either rpm has a bug or I'm missing something very basic...
Rpm has many bugs but I dont think this is one of them.
Pretty much the whole POSIX API assumes username <-> uid relation being
one-to-one, getpwnam() and getpwuid() have no provisions to return more
than one entry. What happens when duplicates are present is not
described in any standard I know of (feel free to educate me if I'm just
ignorant here) but I'd assume the behavior to be implementation
dependent at best.
Oh and just FWIW, what you describe in the ticket as the algorithm rpm
should use is actually exactly what rpm does: it stat()'s the file,
looks up the the username from st.st_uid and compares that with what is
stored in the package for that file.
- Panu -
More information about the Rpm-maint
mailing list