Ubuntu server install could end up with no user if an existing group name is used

Bug #1987341 reported by Ponnuvel Palaniyappan
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
subiquity
Fix Released
Undecided
Unassigned

Bug Description

While attempting to install Ubuntu server 22.04.1, I gave "kvm" as the user name at the time of install.

However, it turns out there's an existing group called "kvm" and thus the user creation fails silently. But this isn't informed to the user. Install proceeds and completes; eventually when the user tries to login, the error simply says "Incorrect login" with no indication of what's wrong.

Since there's no other user, it's not easy to debug it either. I believe this would fail in the same way for any username if there's an existing group with that name.

I booted into the image again, mounted the root filesystem and did chroot to access the logs. Here's the cloud-init part where it fails to create the user: https://pasteboard.co/3c61C0xevWai.png

There are two issues here.

1. Users should be informed that this failure rather than proceeding with install and then locking them out.

2. Should the cloud-init script allow usernames to be created if it happens to be an existing group? It's arguable that this isn't a good idea as we can't tell whether someone really intended to create a user with some group which may have different semantics they didn't want.

But I think there needs to be some sort of message to the user about this before proceeding with install.

Tags: seg
tags: added: seg
Revision history for this message
Bruce Elrick (virtuous-sloth) wrote :

Regarding issue 2 above, cloud-init does support adding a 'no_user_group: true' boolean to a user creation stanza, so subiquity could detect that a default userless group name was used and then either:

 - prevent the user from using it (with an appropriate warning)
 - allow the user to use it, but adjust the cloud-init config to use the boolean

Revision history for this message
Thomas Martin (twovi) wrote :

Or, if possible provide the same messaging when using `adduser` and deny the creation of the user if the group exists. The installer could prompt this as part of the process.

Revision history for this message
Olivier Gayot (ogayot) wrote :

I've created a PR to reject the kvm username along with 3 other usernames that would have failed identically.

https://github.com/canonical/subiquity/pull/1430

Let's try to think of a way (using CI?) to detect when a package from the base install "reserves" a new system group/user ; so that we can keep our list up-to-date.

Dan Bungert (dbungert)
Changed in subiquity:
status: New → Fix Committed
Revision history for this message
Dan Bungert (dbungert) wrote :

We believe a fix for this can be found in Subiquity 22.10.1. On
install you will be offered to update to the new version of the
installer if network is available, or you can perform a manual update
by running the follwing in a terminal:
sudo snap refresh subiquity

Changed in subiquity:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.