Re: vixie cron possible local root compromise

[Robert Bihlmeyer <robbe () ORCUS PRIV AT>]

gabriel rosenkoetter <gr () ECLIPSED NET> writes:

> Perhaps mine was not the most thought-out reply, but people who use
> usernames longer than 8 characters should be aware that those
> usernames are NOT unique under POSIX, and useradd programs that
> allow them are at least *also* broken.

So? Programs using features that are optional under POSIX (i.e. not
required to be present on a POSIX-compliant system) are of course not
broken.

You say that on a system supporting 32 character usernames, "useradd"
should refuse to add names longer than 8 characters? A warning would
be ok, perhaps.

Note that a decent frontend will surely check for the one problem you
raise (which is not restricted to long usernames): uniqueness.

So, if a user "eightchr" exists, adding another user "eightchr" should
fail (otherwise I concur that the useradd in question is broken).
Adding "eightchrsareenough" will automatically fail with "user exists"
on systems considering only the first 8 charactars, and will magically
work otherwise. No problem here.

> (No question that cron should do better bounds checking; my point
> was that that bounds checking should be added out of paranoia, not
> out of necessity.)

A fix IS necessary for correctness, not paranoia. Systems supporting
9, 32, or 1024 characters in usernames are entirely compliant with
relevant standards, and crontab has certainly no excuse on segfaulting
over this. Bailing out is the least it must do. Deal with any length
it should.

--
Robbe

Attachment: signature.ng
Description: