adduser/passwd: too long username
Natanael Copa
ncopa at alpinelinux.org
Mon Aug 18 18:37:00 UTC 2014
On Mon, 18 Aug 2014 15:37:46 +0200
Denys Vlasenko <vda.linux at googlemail.com> wrote:
> On Mon, Aug 18, 2014 at 3:17 PM, Laszlo Papp <lpapp at kde.org> wrote:
> >> > Denys, this fix was sent two weeks ago? Why have you not applied it
> >> > until
> >> > there is a better fix (if any)? This is still broken and results a
> >> > system
> >> > with potential stray users around.
> >>
> >> I'm having bad feelings about the fix along the lines of
> >>
> >> -#define PWD_BUFFER_SIZE 256
> >> -#define GRP_BUFFER_SIZE 256
> >> +#define PWD_BUFFER_SIZE 2*LOGIN_NAME_MAX+256
> >> +#define GRP_BUFFER_SIZE 2*LOGIN_NAME_MAX+256
> >>
> >> I fear that people (situations) strange enough to use names as long as
> >>
> >> fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
> >> can easily use names thrice as long.
> >
> >
> > I do not follow. It is also completely inline with the desktop practice that
> > has existed for several decades now...
> >
> >>
> >> From the API perspective, xmalloc_getpwnam(username) would be ideal.
> >> But it would require significant rework.
> >
> >
> > Exactly my point. I would be unhappy to keep patching my busybox locally
> > just because stray users can stay around on my system with the latest
> > busybox. My stance is usually applying changes that fix issues until there
> > are better approaches. Currently, I am not funded by anyone to work on this
> > "nice design" in full-time and I did provide a quick fix for the issue at
> > hand.
>
> How sure are you that a buffer of 3*256 is big enough?
Not only that, it introduces a serious regression.
I had a similar bug caused by the same underlying issue.
Problem was that there was a limit on how many users you could add to a
group. It is in fact an old issue:
https://bugs.alpinelinux.org/issues/733
I added a patch very similar the patch above, just slightly more
conservative. I never liked this as it can cause unforseen consquences.
http://git.alpinelinux.org/cgit/aports/commit/main/busybox?h=2.6-stable&id=ab88f58f005a1177790e582e1f0171cc4ee5dcce
However, this introduced a new issue, that caused login from console
totally break:
http://bugs.alpinelinux.org/issues/2838
I never tested it bu I believe it breaks sulogin and httpd's password
features as well. After grepping the sources I think solved all places
with this patch:
http://git.alpinelinux.org/cgit/aports/tree/main/busybox/pwdgrp-bufsize.patch?h=2.6-stable&id=623c0906aa469523f04146e10b8ad7ab8cdc35f2
*if* you want to bump the buf size you need bump it equally on all
those places or you will get problems (if you go that route you should
use a constant for those ofcourse - which might be a good idea anyways)
I never sent those patches upstream because I don't think this is the
correct fix. For Alpine Linux the "correct" fix was to use the libc
implementation and a libc that handles this properly (musl libc)
together with the patch I sent to this mailing list.
http://lists.busybox.net/pipermail/busybox/2014-April/080809.html
Commit message didn't say it but that patch is also needed to fix the
username/groupsize issue - with glibc too I believe.
-nc
More information about the busybox
mailing list