summaryrefslogtreecommitdiff
path: root/pwd
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2015-10-02 11:34:13 +0200
committerFlorian Weimer <fweimer@redhat.com>2015-10-02 11:34:13 +0200
commit676599b36a92f3c201c5682ee7a5caddd9f370a4 (patch)
tree6860752c26ccab76ee9db5e60ff465d1edf25feb /pwd
parentb0f81637d5bda47be93bac34b68f429a12979321 (diff)
downloadglibc-676599b36a92f3c201c5682ee7a5caddd9f370a4.tar.gz
Harden putpwent, putgrent, putspent, putspent against injection [BZ #18724]
This prevents injection of ':' and '\n' into output functions which use the NSS files database syntax. Critical fields (user/group names and file system paths) are checked strictly. For backwards compatibility, the GECOS field is rewritten instead. The getent program is adjusted to use the put*ent functions in libc, instead of local copies. This changes the behavior of getent if user names start with '-' or '+'.
Diffstat (limited to 'pwd')
-rw-r--r--pwd/Makefile2
-rw-r--r--pwd/putpwent.c52
-rw-r--r--pwd/tst-putpwent.c168
3 files changed, 200 insertions, 22 deletions
diff --git a/pwd/Makefile b/pwd/Makefile
index 7f6de03b57..af0973455b 100644
--- a/pwd/Makefile
+++ b/pwd/Makefile
@@ -28,7 +28,7 @@ routines := fgetpwent getpw putpwent \
getpwent getpwnam getpwuid \
getpwent_r getpwnam_r getpwuid_r fgetpwent_r
-tests := tst-getpw
+tests := tst-getpw tst-putpwent
include ../Rules
diff --git a/pwd/putpwent.c b/pwd/putpwent.c
index 8be58c27ae..16b9c6f80f 100644
--- a/pwd/putpwent.c
+++ b/pwd/putpwent.c
@@ -18,37 +18,47 @@
#include <errno.h>
#include <stdio.h>
#include <pwd.h>
+#include <nss.h>
#define _S(x) x ?: ""
-/* Write an entry to the given stream.
- This must know the format of the password file. */
+/* Write an entry to the given stream. This must know the format of
+ the password file. If the input contains invalid characters,
+ return EINVAL, or replace them with spaces (if they are contained
+ in the GECOS field). */
int
-putpwent (p, stream)
- const struct passwd *p;
- FILE *stream;
+putpwent (const struct passwd *p, FILE *stream)
{
- if (p == NULL || stream == NULL)
+ if (p == NULL || stream == NULL
+ || p->pw_name == NULL || !__nss_valid_field (p->pw_name)
+ || !__nss_valid_field (p->pw_passwd)
+ || !__nss_valid_field (p->pw_dir)
+ || !__nss_valid_field (p->pw_shell))
{
__set_errno (EINVAL);
return -1;
}
+ int ret;
+ char *gecos_alloc;
+ const char *gecos = __nss_rewrite_field (p->pw_gecos, &gecos_alloc);
+
+ if (gecos == NULL)
+ return -1;
+
if (p->pw_name[0] == '+' || p->pw_name[0] == '-')
- {
- if (fprintf (stream, "%s:%s:::%s:%s:%s\n",
- p->pw_name, _S (p->pw_passwd),
- _S (p->pw_gecos), _S (p->pw_dir), _S (p->pw_shell)) < 0)
- return -1;
- }
+ ret = fprintf (stream, "%s:%s:::%s:%s:%s\n",
+ p->pw_name, _S (p->pw_passwd),
+ gecos, _S (p->pw_dir), _S (p->pw_shell));
else
- {
- if (fprintf (stream, "%s:%s:%lu:%lu:%s:%s:%s\n",
- p->pw_name, _S (p->pw_passwd),
- (unsigned long int) p->pw_uid,
- (unsigned long int) p->pw_gid,
- _S (p->pw_gecos), _S (p->pw_dir), _S (p->pw_shell)) < 0)
- return -1;
- }
- return 0;
+ ret = fprintf (stream, "%s:%s:%lu:%lu:%s:%s:%s\n",
+ p->pw_name, _S (p->pw_passwd),
+ (unsigned long int) p->pw_uid,
+ (unsigned long int) p->pw_gid,
+ gecos, _S (p->pw_dir), _S (p->pw_shell));
+
+ free (gecos_alloc);
+ if (ret >= 0)
+ ret = 0;
+ return ret;
}
diff --git a/pwd/tst-putpwent.c b/pwd/tst-putpwent.c
new file mode 100644
index 0000000000..a408e43e3b
--- /dev/null
+++ b/pwd/tst-putpwent.c
@@ -0,0 +1,168 @@
+/* Test for processing of invalid passwd entries. [BZ #18724]
+ Copyright (C) 2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+#include <pwd.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+
+static bool errors;
+
+static void
+check (struct passwd p, const char *expected)
+{
+ char *buf;
+ size_t buf_size;
+ FILE *f = open_memstream (&buf, &buf_size);
+
+ if (f == NULL)
+ {
+ printf ("open_memstream: %m\n");
+ errors = true;
+ return;
+ }
+
+ int ret = putpwent (&p, f);
+
+ if (expected == NULL)
+ {
+ if (ret == -1)
+ {
+ if (errno != EINVAL)
+ {
+ printf ("putpwent: unexpected error code: %m\n");
+ errors = true;
+ }
+ }
+ else
+ {
+ printf ("putpwent: unexpected success (\"%s\")\n", p.pw_name);
+ errors = true;
+ }
+ }
+ else
+ {
+ /* Expect success. */
+ size_t expected_length = strlen (expected);
+ if (ret == 0)
+ {
+ long written = ftell (f);
+
+ if (written <= 0 || fflush (f) < 0)
+ {
+ printf ("stream error: %m\n");
+ errors = true;
+ }
+ else if (buf[written - 1] != '\n')
+ {
+ printf ("FAILED: \"%s\" without newline\n", expected);
+ errors = true;
+ }
+ else if (strncmp (buf, expected, written - 1) != 0
+ || written - 1 != expected_length)
+ {
+ printf ("FAILED: \"%s\" (%ld), expected \"%s\" (%zu)\n",
+ buf, written - 1, expected, expected_length);
+ errors = true;
+ }
+ }
+ else
+ {
+ printf ("FAILED: putpwent (expected \"%s\"): %m\n", expected);
+ errors = true;
+ }
+ }
+
+ fclose (f);
+ free (buf);
+}
+
+static int
+do_test (void)
+{
+ check ((struct passwd) {
+ .pw_name = (char *) "root",
+ },
+ "root::0:0:::");
+ check ((struct passwd) {
+ .pw_name = (char *) "root",
+ .pw_passwd = (char *) "password",
+ },
+ "root:password:0:0:::");
+ check ((struct passwd) {
+ .pw_name = (char *) "root",
+ .pw_passwd = (char *) "password",
+ .pw_uid = 12,
+ .pw_gid = 34,
+ .pw_gecos = (char *) "gecos",
+ .pw_dir = (char *) "home",
+ .pw_shell = (char *) "shell",
+ },
+ "root:password:12:34:gecos:home:shell");
+ check ((struct passwd) {
+ .pw_name = (char *) "root",
+ .pw_passwd = (char *) "password",
+ .pw_uid = 12,
+ .pw_gid = 34,
+ .pw_gecos = (char *) ":ge\n:cos\n",
+ .pw_dir = (char *) "home",
+ .pw_shell = (char *) "shell",
+ },
+ "root:password:12:34: ge cos :home:shell");
+
+ /* Bad values. */
+ {
+ static const char *const bad_strings[] = {
+ ":",
+ "\n",
+ ":bad",
+ "\nbad",
+ "b:ad",
+ "b\nad",
+ "bad:",
+ "bad\n",
+ "b:a\nd",
+ NULL
+ };
+ for (const char *const *bad = bad_strings; *bad != NULL; ++bad)
+ {
+ check ((struct passwd) {
+ .pw_name = (char *) *bad,
+ }, NULL);
+ check ((struct passwd) {
+ .pw_name = (char *) "root",
+ .pw_passwd = (char *) *bad,
+ }, NULL);
+ check ((struct passwd) {
+ .pw_name = (char *) "root",
+ .pw_dir = (char *) *bad,
+ }, NULL);
+ check ((struct passwd) {
+ .pw_name = (char *) "root",
+ .pw_shell = (char *) *bad,
+ }, NULL);
+ }
+ }
+
+ return errors > 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"