adduser/passwd: too long username

Denys Vlasenko vda.linux at googlemail.com
Mon Aug 18 13:12:33 UTC 2014 

On Sun, Aug 17, 2014 at 12:48 PM, Laszlo Papp <lpapp at kde.org> wrote:
>
>
>
> On Tue, Aug 5, 2014 at 8:34 PM, Laszlo Papp <lpapp at kde.org> wrote:
>>
>> On Tue, Aug 5, 2014 at 7:16 PM, Denys Vlasenko <vda.linux at googlemail.com>
>> wrote:
>>>
>>> On Mon, Aug 4, 2014 at 7:06 PM, Laszlo Papp <lpapp at kde.org> wrote:
>>> > sudo busybox adduser
>>> >
>>> > fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
>>> > passwd: unknown user
>>> >
>>> > fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
>>> >
>>> > Yet, the user is created in /etc/shadow:
>>> >
>>> >
>>> > fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff:!:16286:0:99999:7:::
>>> >
>>> > This is at least one issue, but there is another here:
>>> >
>>> > sudo busybox deluser
>>> >
>>> > fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
>>> > deluser: unknown user
>>> >
>>> > fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
>>>
>>> Both issues come from the same location in codebase:
>>> bb__pgsreader() parser drops lines which are longer than its buffer.
>>>
>>> Effectively, bbox ignores offending line in /etc/passwd.
>>>
>>> > Could you please look into this and potentially fix it? Thanks in
>>> > advance.
>>>
>>> Anyone willing to rewrite getpwnam API to use variable-sized malloced
>>> buffer?
>>
>>
>> Is that a junior job?
>
>
> Denys, this fix was sent two weeks ago? Why have you not applied it until
> there is a better fix (if any)? This is still broken and results a system
> with potential stray users around.

I'm having bad feelings about the fix along the lines of

-#define PWD_BUFFER_SIZE 256
-#define GRP_BUFFER_SIZE 256
+#define PWD_BUFFER_SIZE 2*LOGIN_NAME_MAX+256
+#define GRP_BUFFER_SIZE 2*LOGIN_NAME_MAX+256

I fear that people (situations) strange enough to use names as long as
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
can easily use names thrice as long.

>From the API perspective, xmalloc_getpwnam(username) would be ideal.
But it would require significant rework.

More information about the busybox mailing list