aboutsummaryrefslogtreecommitdiff
path: root/shadow
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2015-10-02 11:34:13 +0200
committerFlorian Weimer <fweimer@redhat.com>2015-10-02 11:34:13 +0200
commit676599b36a92f3c201c5682ee7a5caddd9f370a4 (patch)
tree6860752c26ccab76ee9db5e60ff465d1edf25feb /shadow
parentb0f81637d5bda47be93bac34b68f429a12979321 (diff)
downloadglibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.zip
glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.gz
glibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.bz2
Harden putpwent, putgrent, putspent, putspent against injection [BZ #18724]
This prevents injection of ':' and '\n' into output functions which use the NSS files database syntax. Critical fields (user/group names and file system paths) are checked strictly. For backwards compatibility, the GECOS field is rewritten instead. The getent program is adjusted to use the put*ent functions in libc, instead of local copies. This changes the behavior of getent if user names start with '-' or '+'.
Diffstat (limited to 'shadow')
-rw-r--r--shadow/Makefile2
-rw-r--r--shadow/putspent.c9
-rw-r--r--shadow/tst-putspent.c164
3 files changed, 174 insertions, 1 deletions
diff --git a/shadow/Makefile b/shadow/Makefile
index 8291c61..6990f33 100644
--- a/shadow/Makefile
+++ b/shadow/Makefile
@@ -27,7 +27,7 @@ routines = getspent getspnam sgetspent fgetspent putspent \
getspent_r getspnam_r sgetspent_r fgetspent_r \
lckpwdf
-tests = tst-shadow
+tests = tst-shadow tst-putspent
CFLAGS-getspent_r.c = -fexceptions
CFLAGS-getspent.c = -fexceptions
diff --git a/shadow/putspent.c b/shadow/putspent.c
index 142e697..ba8230a 100644
--- a/shadow/putspent.c
+++ b/shadow/putspent.c
@@ -15,6 +15,8 @@
License along with the GNU C Library; if not, see
<http://www.gnu.org/licenses/>. */
+#include <errno.h>
+#include <nss.h>
#include <stdio.h>
#include <shadow.h>
@@ -31,6 +33,13 @@ putspent (const struct spwd *p, FILE *stream)
{
int errors = 0;
+ if (p->sp_namp == NULL || !__nss_valid_field (p->sp_namp)
+ || !__nss_valid_field (p->sp_pwdp))
+ {
+ __set_errno (EINVAL);
+ return -1;
+ }
+
flockfile (stream);
if (fprintf (stream, "%s:%s:", p->sp_namp, _S (p->sp_pwdp)) < 0)
diff --git a/shadow/tst-putspent.c b/shadow/tst-putspent.c
new file mode 100644
index 0000000..d00c022
--- /dev/null
+++ b/shadow/tst-putspent.c
@@ -0,0 +1,164 @@
+/* Test for processing of invalid shadow entries. [BZ #18724]
+ Copyright (C) 2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+#include <shadow.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+static bool errors;
+
+static void
+check (struct spwd p, const char *expected)
+{
+ char *buf;
+ size_t buf_size;
+ FILE *f = open_memstream (&buf, &buf_size);
+
+ if (f == NULL)
+ {
+ printf ("open_memstream: %m\n");
+ errors = true;
+ return;
+ }
+
+ int ret = putspent (&p, f);
+
+ if (expected == NULL)
+ {
+ if (ret == -1)
+ {
+ if (errno != EINVAL)
+ {
+ printf ("putspent: unexpected error code: %m\n");
+ errors = true;
+ }
+ }
+ else
+ {
+ printf ("putspent: unexpected success (\"%s\")\n", p.sp_namp);
+ errors = true;
+ }
+ }
+ else
+ {
+ /* Expect success. */
+ size_t expected_length = strlen (expected);
+ if (ret == 0)
+ {
+ long written = ftell (f);
+
+ if (written <= 0 || fflush (f) < 0)
+ {
+ printf ("stream error: %m\n");
+ errors = true;
+ }
+ else if (buf[written - 1] != '\n')
+ {
+ printf ("FAILED: \"%s\" without newline\n", expected);
+ errors = true;
+ }
+ else if (strncmp (buf, expected, written - 1) != 0
+ || written - 1 != expected_length)
+ {
+ printf ("FAILED: \"%s\" (%ld), expected \"%s\" (%zu)\n",
+ buf, written - 1, expected, expected_length);
+ errors = true;
+ }
+ }
+ else
+ {
+ printf ("FAILED: putspent (expected \"%s\"): %m\n", expected);
+ errors = true;
+ }
+ }
+
+ fclose (f);
+ free (buf);
+}
+
+static int
+do_test (void)
+{
+ check ((struct spwd) {
+ .sp_namp = (char *) "root",
+ },
+ "root::0:0:0:0:0:0:0");
+ check ((struct spwd) {
+ .sp_namp = (char *) "root",
+ .sp_pwdp = (char *) "password",
+ },
+ "root:password:0:0:0:0:0:0:0");
+ check ((struct spwd) {
+ .sp_namp = (char *) "root",
+ .sp_pwdp = (char *) "password",
+ .sp_lstchg = -1,
+ .sp_min = -1,
+ .sp_max = -1,
+ .sp_warn = -1,
+ .sp_inact = -1,
+ .sp_expire = -1,
+ .sp_flag = -1
+ },
+ "root:password:::::::");
+ check ((struct spwd) {
+ .sp_namp = (char *) "root",
+ .sp_pwdp = (char *) "password",
+ .sp_lstchg = 1,
+ .sp_min = 2,
+ .sp_max = 3,
+ .sp_warn = 4,
+ .sp_inact = 5,
+ .sp_expire = 6,
+ .sp_flag = 7
+ },
+ "root:password:1:2:3:4:5:6:7");
+
+ /* Bad values. */
+ {
+ static const char *const bad_strings[] = {
+ ":",
+ "\n",
+ ":bad",
+ "\nbad",
+ "b:ad",
+ "b\nad",
+ "bad:",
+ "bad\n",
+ "b:a\nd",
+ NULL
+ };
+ for (const char *const *bad = bad_strings; *bad != NULL; ++bad)
+ {
+ check ((struct spwd) {
+ .sp_namp = (char *) *bad,
+ }, NULL);
+ check ((struct spwd) {
+ .sp_namp = (char *) "root",
+ .sp_pwdp = (char *) *bad,
+ }, NULL);
+ }
+ }
+
+ return errors;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"