diff options
author | Florian Weimer <fweimer@redhat.com> | 2015-10-02 11:34:13 +0200 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2015-10-02 11:34:13 +0200 |
commit | 676599b36a92f3c201c5682ee7a5caddd9f370a4 (patch) | |
tree | 6860752c26ccab76ee9db5e60ff465d1edf25feb /shadow | |
parent | b0f81637d5bda47be93bac34b68f429a12979321 (diff) | |
download | glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.gz glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.xz glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.zip |
Harden putpwent, putgrent, putspent, putspent against injection [BZ #18724]
This prevents injection of ':' and '\n' into output functions which use the NSS files database syntax. Critical fields (user/group names and file system paths) are checked strictly. For backwards compatibility, the GECOS field is rewritten instead. The getent program is adjusted to use the put*ent functions in libc, instead of local copies. This changes the behavior of getent if user names start with '-' or '+'.
Diffstat (limited to 'shadow')
-rw-r--r-- | shadow/Makefile | 2 | ||||
-rw-r--r-- | shadow/putspent.c | 9 | ||||
-rw-r--r-- | shadow/tst-putspent.c | 164 |
3 files changed, 174 insertions, 1 deletions
diff --git a/shadow/Makefile b/shadow/Makefile index 8291c61622..6990f339f7 100644 --- a/shadow/Makefile +++ b/shadow/Makefile @@ -27,7 +27,7 @@ routines = getspent getspnam sgetspent fgetspent putspent \ getspent_r getspnam_r sgetspent_r fgetspent_r \ lckpwdf -tests = tst-shadow +tests = tst-shadow tst-putspent CFLAGS-getspent_r.c = -fexceptions CFLAGS-getspent.c = -fexceptions diff --git a/shadow/putspent.c b/shadow/putspent.c index 142e697e64..ba8230a482 100644 --- a/shadow/putspent.c +++ b/shadow/putspent.c @@ -15,6 +15,8 @@ License along with the GNU C Library; if not, see <http://www.gnu.org/licenses/>. */ +#include <errno.h> +#include <nss.h> #include <stdio.h> #include <shadow.h> @@ -31,6 +33,13 @@ putspent (const struct spwd *p, FILE *stream) { int errors = 0; + if (p->sp_namp == NULL || !__nss_valid_field (p->sp_namp) + || !__nss_valid_field (p->sp_pwdp)) + { + __set_errno (EINVAL); + return -1; + } + flockfile (stream); if (fprintf (stream, "%s:%s:", p->sp_namp, _S (p->sp_pwdp)) < 0) diff --git a/shadow/tst-putspent.c b/shadow/tst-putspent.c new file mode 100644 index 0000000000..d00c0229fc --- /dev/null +++ b/shadow/tst-putspent.c @@ -0,0 +1,164 @@ +/* Test for processing of invalid shadow entries. [BZ #18724] + Copyright (C) 2015 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <shadow.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> + +static bool errors; + +static void +check (struct spwd p, const char *expected) +{ + char *buf; + size_t buf_size; + FILE *f = open_memstream (&buf, &buf_size); + + if (f == NULL) + { + printf ("open_memstream: %m\n"); + errors = true; + return; + } + + int ret = putspent (&p, f); + + if (expected == NULL) + { + if (ret == -1) + { + if (errno != EINVAL) + { + printf ("putspent: unexpected error code: %m\n"); + errors = true; + } + } + else + { + printf ("putspent: unexpected success (\"%s\")\n", p.sp_namp); + errors = true; + } + } + else + { + /* Expect success. */ + size_t expected_length = strlen (expected); + if (ret == 0) + { + long written = ftell (f); + + if (written <= 0 || fflush (f) < 0) + { + printf ("stream error: %m\n"); + errors = true; + } + else if (buf[written - 1] != '\n') + { + printf ("FAILED: \"%s\" without newline\n", expected); + errors = true; + } + else if (strncmp (buf, expected, written - 1) != 0 + || written - 1 != expected_length) + { + printf ("FAILED: \"%s\" (%ld), expected \"%s\" (%zu)\n", + buf, written - 1, expected, expected_length); + errors = true; + } + } + else + { + printf ("FAILED: putspent (expected \"%s\"): %m\n", expected); + errors = true; + } + } + + fclose (f); + free (buf); +} + +static int +do_test (void) +{ + check ((struct spwd) { + .sp_namp = (char *) "root", + }, + "root::0:0:0:0:0:0:0"); + check ((struct spwd) { + .sp_namp = (char *) "root", + .sp_pwdp = (char *) "password", + }, + "root:password:0:0:0:0:0:0:0"); + check ((struct spwd) { + .sp_namp = (char *) "root", + .sp_pwdp = (char *) "password", + .sp_lstchg = -1, + .sp_min = -1, + .sp_max = -1, + .sp_warn = -1, + .sp_inact = -1, + .sp_expire = -1, + .sp_flag = -1 + }, + "root:password:::::::"); + check ((struct spwd) { + .sp_namp = (char *) "root", + .sp_pwdp = (char *) "password", + .sp_lstchg = 1, + .sp_min = 2, + .sp_max = 3, + .sp_warn = 4, + .sp_inact = 5, + .sp_expire = 6, + .sp_flag = 7 + }, + "root:password:1:2:3:4:5:6:7"); + + /* Bad values. */ + { + static const char *const bad_strings[] = { + ":", + "\n", + ":bad", + "\nbad", + "b:ad", + "b\nad", + "bad:", + "bad\n", + "b:a\nd", + NULL + }; + for (const char *const *bad = bad_strings; *bad != NULL; ++bad) + { + check ((struct spwd) { + .sp_namp = (char *) *bad, + }, NULL); + check ((struct spwd) { + .sp_namp = (char *) "root", + .sp_pwdp = (char *) *bad, + }, NULL); + } + } + + return errors; +} + +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |