CVE-2019-19882
Description
shadow 4.8, in certain circumstances affecting at least Gentoo, Arch Linux, and Void Linux, allows local users to obtain root access because setuid programs are misconfigured. Specifically, this affects shadow 4.8 when compiled using --with-libpam but without explicitly passing --disable-account-tools-setuid, and without a PAM configuration suitable for use with setuid account management tools. This combination leads to account management tools (groupadd, groupdel, groupmod, useradd, userdel, usermod) that can easily be used by unprivileged local users to escalate privileges to root in multiple ways. This issue became much more relevant in approximately December 2019 when an unrelated bug was fixed (i.e., the chmod calls to suidusbins were fixed in the upstream Makefile which is now included in the release version 4.8).
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- shadow/shadowdescription
- Range: 4.8
Patches
Vulnerability mechanics
Root cause
"Account management tools are installed setuid-root while their PAM auth configuration uses pam_permit.so, allowing any local user to execute them without authentication."
Attack vector
An unprivileged local user can run any of the setuid account management tools (e.g., `useradd`, `groupadd`, `usermod`) without providing a password because the PAM auth configuration uses `pam_permit.so` [ref_id=1]. The setuid bit elevates the process to root, and `pam_permit.so` immediately returns success, so no authentication challenge occurs. The attacker can then create new users, modify existing users, delete users, or manipulate groups at will, leading directly to full root privilege escalation [ref_id=1]. No network access or special capabilities are required — only a local shell account.
Affected code
The vulnerability is a configuration issue, not a code flaw. The shadow 4.8 package, when compiled with `--with-libpam` and without `--disable-account-tools-setuid`, installs setuid-root binaries for account management tools: `groupadd`, `groupdel`, `groupmod`, `useradd`, `userdel`, `usermod`, `chgpasswd`, `chpasswd`, and `newusers` [ref_id=1]. The accompanying PAM configuration files use `pam_permit.so` for the `auth` stack, which skips all authentication [ref_id=1].
What the fix does
The fix has two complementary parts. First, the PAM configuration for account management tools should replace `auth required pam_permit.so` with `auth required pam_deny.so`, so that only root (via `pam_rootok.so`) can use these tools without a password [ref_id=1]. Second, distributions should either disable the `--enable-account-tools-setuid` configure flag by default or introduce an explicit USE flag (e.g., `account-tools-setuid`) so that setuid installation is opt-in rather than automatic when PAM is enabled [ref_id=1]. The Gentoo bug report provides a concrete ebuild patch implementing both changes [ref_id=1].
Preconditions
- configThe shadow package must be compiled with --with-libpam and without --disable-account-tools-setuid, causing account management binaries to be installed setuid-root
- configThe PAM configuration for account management tools must use pam_permit.so for the auth stack (the default in the affected package)
- authThe attacker must have a local unprivileged shell account on the system
Reproduction
As a local unprivileged user, run `useradd -m foo` to create a new user account without being prompted for any password. Verify success with `grep ^foo /etc/passwd` and `ls -lad /home/foo` [ref_id=1]. The same approach works with `groupadd`, `groupdel`, `groupmod`, `userdel`, `usermod`, `chpasswd`, `chgpasswd`, and `newusers` — all operate without authentication due to the `pam_permit.so` configuration combined with the setuid bit [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- security.gentoo.org/glsa/202008-09mitrevendor-advisoryx_refsource_GENTOO
- bugs.archlinux.org/task/64836mitrex_refsource_MISC
- bugs.gentoo.org/702252mitrex_refsource_MISC
- github.com/shadow-maint/shadow/commit/edf7547ad5aa650be868cf2dac58944773c12d75mitrex_refsource_MISC
- github.com/shadow-maint/shadow/pull/199mitrex_refsource_MISC
- github.com/void-linux/void-packages/pull/17580mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.