I have a habit of saving the output (to update.txt) from my “zypper -vvvv up” that I run every now and then.
… so I opened the file up and searched for “shadow” - sure enough, it was included in the previous dup I ran recently, with 87 updates.
From YaST add a new user – a Test User.
The new user’s directory is empty.
# l /home/Test-Benutzer/
insgesamt 8
drwxr-xr-t 5 test-user test-user 51 2. Aug 14:59 ./
drwxr-xr-x 8 root root 301 15. Mär 2022 ../
drwxr-xr-x 18 test001 test-user 4096 29. Jun 17:08 test001/
drwxr-xr-x 16 test002 test-user 4096 27. Feb 14:25 test002/
drwxr-xr-x 2 test003 test-user 6 2. Aug 14:57 test003/
# l /home/Test-Benutzer/test003/
insgesamt 0
drwxr-xr-x 2 test003 test-user 6 2. Aug 14:57 ./
drwxr-xr-t 5 test-user test-user 51 2. Aug 14:59 ../
#
Haven’t tried “adduser” & Co. but, YaST running under KDE Plasma definitely has an issue here – I didn’t activate the “empty home directory” option during the YaST add user procedure.
Seriously, it is tempest in a teapot. Sure, it is defect that has to be fixed. But what exactly does not work because of this? You lose some templates copied to your home directory? If you need to edit these files,. you are supposed to know what you are doing and what content should be. You do not need existing dummies for this.
Yes! The CVE fix will be lost. I had NO idea what the CVE fix fixed until a few minutes ago. I am simply letting folks know how to restore previous behavior should they need/want it.
I also agree that the loss of “some templates” is TRIVIAL! If needed, they can be manually copied.
And the reason I had not bothered to see what the fix fixes? The only time I EVER create a new user is to test something that might mess up the home directory of the user testing, that is to say I almost never create new users.
As for the temporary loss of the security fix:
Like most security patches, it closes a hypothetical hole rather than addressing an imminent threat. The CVE is designated as low priority by the folk working on it.
Tumbleweed uses shadow 4.16.0-2.1. I don’t know whether the security issue addressed by “4.8.1-150600.17.3.1” applies to the newer version of shadow or not.