Bugtraq mailing list archives
Re: vixie cron possible local root compromise
From: Robert Bihlmeyer <robbe () ORCUS PRIV AT>
Date: Thu, 15 Feb 2001 13:51:43 +0100
gabriel rosenkoetter <gr () ECLIPSED NET> writes:
Perhaps mine was not the most thought-out reply, but people who use usernames longer than 8 characters should be aware that those usernames are NOT unique under POSIX, and useradd programs that allow them are at least *also* broken.
So? Programs using features that are optional under POSIX (i.e. not required to be present on a POSIX-compliant system) are of course not broken. You say that on a system supporting 32 character usernames, "useradd" should refuse to add names longer than 8 characters? A warning would be ok, perhaps. Note that a decent frontend will surely check for the one problem you raise (which is not restricted to long usernames): uniqueness. So, if a user "eightchr" exists, adding another user "eightchr" should fail (otherwise I concur that the useradd in question is broken). Adding "eightchrsareenough" will automatically fail with "user exists" on systems considering only the first 8 charactars, and will magically work otherwise. No problem here.
(No question that cron should do better bounds checking; my point was that that bounds checking should be added out of paranoia, not out of necessity.)
A fix IS necessary for correctness, not paranoia. Systems supporting 9, 32, or 1024 characters in usernames are entirely compliant with relevant standards, and crontab has certainly no excuse on segfaulting over this. Bailing out is the least it must do. Deal with any length it should. -- Robbe
Attachment:
signature.ng
Description:
Current thread:
- Re: vixie cron possible local root compromise, (continued)
- Re: vixie cron possible local root compromise Peter van Dijk (Feb 12)
- Re: vixie cron possible local root compromise Valentin Nechayev (Feb 12)
- Re: vixie cron possible local root compromise gabriel rosenkoetter (Feb 13)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- (CORRECTION) Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 14)
- Re: vixie cron possible local root compromise Valdis Kletnieks (Feb 14)
- Re: vixie cron possible local root compromise Juergen P. Meier (Feb 15)
- Re: vixie cron possible local root compromise Nelson Brito (Feb 15)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- Re: vixie cron possible local root compromise Alan DeKok (Feb 13)
- Re: vixie cron possible local root compromise gabriel rosenkoetter (Feb 13)
- Re: vixie cron possible local root compromise Robert Bihlmeyer (Feb 15)
- Re: vixie cron possible local root compromise Alfred Perlstein (Feb 13)