CVE-2025-5689: New authd users logging in via SSH are members of the root group
6.4
Basic Information
Technical Details
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/ubuntu/authd | go | < 0.5.4 | 0.5.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CVE-2025-5689) occurs when a new authd user logs in via SSH for the first time. Such users were incorrectly assigned to the 'root' group (GID 0) for their SSH session. This was due to the temporary user records created during the pre-authentication Name Service Switch (NSS) request not having an explicit Group ID (GID) set.
In Go, uninitialized integer fields (like GID in the types.UserEntry struct) default to their zero value, which is 0. GID 0 is conventionally the GID of the 'root' group.
The analysis of the patch 619ce8e55953b970f1765ddaad565081538151ab reveals that three key functions were responsible for this behavior:
github.com/ubuntu/authd/internal/users/tempentries.preAuthUserEntry: This function createstypes.UserEntryfor pre-authentication. The patch addedGID: user.uid, where previously GID was not set, and a TODO comment indicated awareness of it defaulting to 0.github.com/ubuntu/authd/internal/users/tempentries.userEntry: Similar topreAuthUserEntry, this function createstypes.UserEntryfor temporary users and also lacked explicit GID assignment prior to the patch.github.com/ubuntu/authd/internal/services/user.(*Service).userPreCheck: This service method returns atypes.UserEntry. The patch addedu.GID = u.UID, indicating thatGIDwas not set before this change.
These functions, in their pre-patch state, would return or use types.UserEntry objects where the GID field was 0. This user entry was then used by the system, leading to the new user being treated as a member of the root group for that session.
The fix involved explicitly setting the GID to be the same as the UID for these temporary/new users, adhering to the User Private Groups (UPG) convention, and ensuring this GID does not conflict with existing groups.