diff options
author | Florian Weimer <fweimer@redhat.com> | 2015-10-02 11:34:13 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2015-10-02 11:34:13 +0200 |
commit | 676599b36a92f3c201c5682ee7a5caddd9f370a4 (patch) | |
tree | 6860752c26ccab76ee9db5e60ff465d1edf25feb /pwd | |
parent | b0f81637d5bda47be93bac34b68f429a12979321 (diff) | |
download | glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.gz glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.xz glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.zip |
Harden putpwent, putgrent, putspent, putspent against injection [BZ #18724]
This prevents injection of ':' and '\n' into output functions which use the NSS files database syntax. Critical fields (user/group names and file system paths) are checked strictly. For backwards compatibility, the GECOS field is rewritten instead. The getent program is adjusted to use the put*ent functions in libc, instead of local copies. This changes the behavior of getent if user names start with '-' or '+'.
Diffstat (limited to 'pwd')
-rw-r--r-- | pwd/Makefile | 2 | ||||
-rw-r--r-- | pwd/putpwent.c | 52 | ||||
-rw-r--r-- | pwd/tst-putpwent.c | 168 |
3 files changed, 200 insertions, 22 deletions
diff --git a/pwd/Makefile b/pwd/Makefile index 7f6de03b57..af0973455b 100644 --- a/pwd/Makefile +++ b/pwd/Makefile @@ -28,7 +28,7 @@ routines := fgetpwent getpw putpwent \ getpwent getpwnam getpwuid \ getpwent_r getpwnam_r getpwuid_r fgetpwent_r -tests := tst-getpw +tests := tst-getpw tst-putpwent include ../Rules diff --git a/pwd/putpwent.c b/pwd/putpwent.c index 8be58c27ae..16b9c6f80f 100644 --- a/pwd/putpwent.c +++ b/pwd/putpwent.c @@ -18,37 +18,47 @@ #include <errno.h> #include <stdio.h> #include <pwd.h> +#include <nss.h> #define _S(x) x ?: "" -/* Write an entry to the given stream. - This must know the format of the password file. */ +/* Write an entry to the given stream. This must know the format of + the password file. If the input contains invalid characters, + return EINVAL, or replace them with spaces (if they are contained + in the GECOS field). */ int -putpwent (p, stream) - const struct passwd *p; - FILE *stream; +putpwent (const struct passwd *p, FILE *stream) { - if (p == NULL || stream == NULL) + if (p == NULL || stream == NULL + || p->pw_name == NULL || !__nss_valid_field (p->pw_name) + || !__nss_valid_field (p->pw_passwd) + || !__nss_valid_field (p->pw_dir) + || !__nss_valid_field (p->pw_shell)) { __set_errno (EINVAL); return -1; } + int ret; + char *gecos_alloc; + const char *gecos = __nss_rewrite_field (p->pw_gecos, &gecos_alloc); + + if (gecos == NULL) + return -1; + if (p->pw_name[0] == '+' || p->pw_name[0] == '-') - { - if (fprintf (stream, "%s:%s:::%s:%s:%s\n", - p->pw_name, _S (p->pw_passwd), - _S (p->pw_gecos), _S (p->pw_dir), _S (p->pw_shell)) < 0) - return -1; - } + ret = fprintf (stream, "%s:%s:::%s:%s:%s\n", + p->pw_name, _S (p->pw_passwd), + gecos, _S (p->pw_dir), _S (p->pw_shell)); else - { - if (fprintf (stream, "%s:%s:%lu:%lu:%s:%s:%s\n", - p->pw_name, _S (p->pw_passwd), - (unsigned long int) p->pw_uid, - (unsigned long int) p->pw_gid, - _S (p->pw_gecos), _S (p->pw_dir), _S (p->pw_shell)) < 0) - return -1; - } - return 0; + ret = fprintf (stream, "%s:%s:%lu:%lu:%s:%s:%s\n", + p->pw_name, _S (p->pw_passwd), + (unsigned long int) p->pw_uid, + (unsigned long int) p->pw_gid, + gecos, _S (p->pw_dir), _S (p->pw_shell)); + + free (gecos_alloc); + if (ret >= 0) + ret = 0; + return ret; } diff --git a/pwd/tst-putpwent.c b/pwd/tst-putpwent.c new file mode 100644 index 0000000000..a408e43e3b --- /dev/null +++ b/pwd/tst-putpwent.c @@ -0,0 +1,168 @@ +/* Test for processing of invalid passwd entries. [BZ #18724] + Copyright (C) 2015 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <pwd.h> +#include <stdbool.h> +#include <stdio.h> +#include <string.h> +#include <stdlib.h> + +static bool errors; + +static void +check (struct passwd p, const char *expected) +{ + char *buf; + size_t buf_size; + FILE *f = open_memstream (&buf, &buf_size); + + if (f == NULL) + { + printf ("open_memstream: %m\n"); + errors = true; + return; + } + + int ret = putpwent (&p, f); + + if (expected == NULL) + { + if (ret == -1) + { + if (errno != EINVAL) + { + printf ("putpwent: unexpected error code: %m\n"); + errors = true; + } + } + else + { + printf ("putpwent: unexpected success (\"%s\")\n", p.pw_name); + errors = true; + } + } + else + { + /* Expect success. */ + size_t expected_length = strlen (expected); + if (ret == 0) + { + long written = ftell (f); + + if (written <= 0 || fflush (f) < 0) + { + printf ("stream error: %m\n"); + errors = true; + } + else if (buf[written - 1] != '\n') + { + printf ("FAILED: \"%s\" without newline\n", expected); + errors = true; + } + else if (strncmp (buf, expected, written - 1) != 0 + || written - 1 != expected_length) + { + printf ("FAILED: \"%s\" (%ld), expected \"%s\" (%zu)\n", + buf, written - 1, expected, expected_length); + errors = true; + } + } + else + { + printf ("FAILED: putpwent (expected \"%s\"): %m\n", expected); + errors = true; + } + } + + fclose (f); + free (buf); +} + +static int +do_test (void) +{ + check ((struct passwd) { + .pw_name = (char *) "root", + }, + "root::0:0:::"); + check ((struct passwd) { + .pw_name = (char *) "root", + .pw_passwd = (char *) "password", + }, + "root:password:0:0:::"); + check ((struct passwd) { + .pw_name = (char *) "root", + .pw_passwd = (char *) "password", + .pw_uid = 12, + .pw_gid = 34, + .pw_gecos = (char *) "gecos", + .pw_dir = (char *) "home", + .pw_shell = (char *) "shell", + }, + "root:password:12:34:gecos:home:shell"); + check ((struct passwd) { + .pw_name = (char *) "root", + .pw_passwd = (char *) "password", + .pw_uid = 12, + .pw_gid = 34, + .pw_gecos = (char *) ":ge\n:cos\n", + .pw_dir = (char *) "home", + .pw_shell = (char *) "shell", + }, + "root:password:12:34: ge cos :home:shell"); + + /* Bad values. */ + { + static const char *const bad_strings[] = { + ":", + "\n", + ":bad", + "\nbad", + "b:ad", + "b\nad", + "bad:", + "bad\n", + "b:a\nd", + NULL + }; + for (const char *const *bad = bad_strings; *bad != NULL; ++bad) + { + check ((struct passwd) { + .pw_name = (char *) *bad, + }, NULL); + check ((struct passwd) { + .pw_name = (char *) "root", + .pw_passwd = (char *) *bad, + }, NULL); + check ((struct passwd) { + .pw_name = (char *) "root", + .pw_dir = (char *) *bad, + }, NULL); + check ((struct passwd) { + .pw_name = (char *) "root", + .pw_shell = (char *) *bad, + }, NULL); + } + } + + return errors > 0; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |