diff options
| author | Matthias Clasen <mclasen@redhat.com> | 2013-11-01 17:09:25 -0400 |
|---|---|---|
| committer | Ray Strode <rstrode@redhat.com> | 2013-11-04 18:59:44 -0500 |
| commit | 980692e6b9cfe4a34e22f566e0981a8c549e4348 (patch) | |
| tree | 8bc8128d9b9f670057a8a0c05b2424dbb61ee9f0 | |
| parent | f86c93014e698d81d43fe1ebaf805fa794e5a984 (diff) | |
| download | accountsservice-980692e6b9cfe4a34e22f566e0981a8c549e4348.tar.gz | |
Avoid deleting the root user
The check we have in place against deleting the root user can
be tricked by exploiting the fact that we are checking a gint64,
and then later cast it to a uid_t. This can be seen with the
following test, which will delete your root account:
qdbus --system org.freedesktop.Accounts /org/freedesktop/Accounts \
org.freedesktop.Accounts.DeleteUser -9223372036854775808 true
Found with the dfuzzer tool,
https://github.com/matusmarhefka/dfuzzer
| -rw-r--r-- | src/daemon.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/daemon.c b/src/daemon.c index ea75190..9c7001b 100644 --- a/src/daemon.c +++ b/src/daemon.c @@ -1227,7 +1227,7 @@ daemon_uncache_user (AccountsAccounts *accounts, } typedef struct { - gint64 uid; + uid_t uid; gboolean remove_files; } DeleteUserData; @@ -1309,13 +1309,13 @@ daemon_delete_user (AccountsAccounts *accounts, Daemon *daemon = (Daemon*)accounts; DeleteUserData *data; - if (uid == 0) { + if ((uid_t)uid == 0) { throw_error (context, ERROR_FAILED, "Refuse to delete root user"); return TRUE; } data = g_new0 (DeleteUserData, 1); - data->uid = uid; + data->uid = (uid_t)uid; data->remove_files = remove_files; daemon_local_check_auth (daemon, |