2007-10-07 17:14:02 +05:30
|
|
|
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
EXTRA_DIST = .indent.pro xgetXXbyYY.c
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2021-07-24 04:21:13 +05:30
|
|
|
AM_CPPFLAGS = -I$(top_srcdir)/lib -I$(top_srcdir) $(ECONF_CPPFLAGS)
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2021-02-01 10:14:09 +05:30
|
|
|
noinst_LTLIBRARIES = libmisc.la
|
2007-10-07 17:14:02 +05:30
|
|
|
|
2022-11-21 18:30:13 +05:30
|
|
|
libmisc_la_CFLAGS = $(LIBBSD_CFLAGS)
|
2021-02-01 10:14:09 +05:30
|
|
|
libmisc_la_SOURCES = \
|
2007-10-07 17:14:38 +05:30
|
|
|
addgrps.c \
|
|
|
|
age.c \
|
libmisc: agetpass(), erase_pass(): Add functions for getting passwords safely
There are several issues with getpass(3).
Many implementations of it share the same issues that the infamous
gets(3). In glibc it's not so terrible, since it's a wrapper
around getline(3). But it still has an important bug:
If the password is long enough, getline(3) will realloc(3) memory,
and prefixes of the password will be laying around in some
deallocated memory.
See the getpass(3) manual page for more details, and especially
the commit that marked it as deprecated, which links to a long
discussion in the linux-man@ mailing list.
So, readpassphrase(3bsd) is preferrable, which is provided by
libbsd on GNU systems. However, using readpassphrase(3) directly
is a bit verbose, so we can write our own wrapper with a simpler
interface similar to that of getpass(3).
One of the benefits of writing our own interface around
readpassphrase(3) is that we can hide there any checks that should
be done always and which would be error-prone to repeat every
time. For example, check that there was no truncation in the
password.
Also, use malloc(3) to get the buffer, instead of using a global
buffer. We're not using a multithreaded program (and it wouldn't
make sense to do so), but it's nice to know that the visibility of
our passwords is as limited as possible.
erase_pass() is a clean-up function that handles all clean-up
correctly, including zeroing the entire buffer, and then
free(3)ing the memory. By using [[gnu::malloc(erase_pass)]], we
make sure that we don't leak the buffers in any case, since the
compiler will be able to enforce clean up.
Link: <https://git.kernel.org/pub/scm/docs/man-pages/man-pages.git/commit?id=7ca189099d73bde954eed2d7fc21732bcc8ddc6b>
Reported-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Alejandro Colomar <alx@kernel.org>
2022-09-27 01:52:24 +05:30
|
|
|
agetpass.c \
|
2007-10-07 17:17:01 +05:30
|
|
|
audit_help.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
basename.c \
|
2023-01-30 17:13:34 +05:30
|
|
|
bit.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
chkname.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
chkname.h \
|
2007-10-07 17:14:38 +05:30
|
|
|
chowndir.c \
|
|
|
|
chowntty.c \
|
2008-12-23 03:22:43 +05:30
|
|
|
cleanup.c \
|
|
|
|
cleanup_group.c \
|
|
|
|
cleanup_user.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
console.c \
|
|
|
|
copydir.c \
|
2021-12-22 20:02:17 +05:30
|
|
|
date_to_str.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
entry.c \
|
|
|
|
env.c \
|
|
|
|
failure.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
failure.h \
|
2008-06-16 00:03:52 +05:30
|
|
|
find_new_gid.c \
|
|
|
|
find_new_uid.c \
|
2013-01-22 14:45:05 +05:30
|
|
|
find_new_sub_gids.c \
|
|
|
|
find_new_sub_uids.c \
|
2007-10-07 17:14:51 +05:30
|
|
|
getdate.h \
|
2007-10-07 17:17:01 +05:30
|
|
|
getdate.y \
|
2009-04-11 04:04:10 +05:30
|
|
|
getgr_nam_gid.c \
|
2008-06-15 02:31:11 +05:30
|
|
|
getrange.c \
|
2017-03-15 16:06:21 +05:30
|
|
|
gettime.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
hushed.c \
|
2013-01-22 14:50:07 +05:30
|
|
|
idmapping.h \
|
|
|
|
idmapping.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
isexpired.c \
|
|
|
|
limits.c \
|
|
|
|
list.c log.c \
|
|
|
|
loginprompt.c \
|
|
|
|
mail.c \
|
2023-02-11 02:46:21 +05:30
|
|
|
mempcpy.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
motd.c \
|
|
|
|
myname.c \
|
|
|
|
obscure.c \
|
|
|
|
pam_pass.c \
|
2017-10-23 01:54:32 +05:30
|
|
|
pam_pass_non_interactive.c \
|
2016-05-15 19:19:39 +05:30
|
|
|
prefix_flag.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
pwd2spwd.c \
|
2007-10-07 17:14:44 +05:30
|
|
|
pwdcheck.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
pwd_init.c \
|
2022-12-31 00:16:09 +05:30
|
|
|
csrand.c \
|
2010-03-31 03:24:29 +05:30
|
|
|
remove_tree.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
rlogin.c \
|
2011-11-07 00:07:19 +05:30
|
|
|
root_flag.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
salt.c \
|
|
|
|
setugid.c \
|
|
|
|
setupenv.c \
|
|
|
|
shell.c \
|
2023-02-11 03:04:37 +05:30
|
|
|
stpecpy.c \
|
2023-01-30 04:49:56 +05:30
|
|
|
stpeprintf.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
strtoday.c \
|
|
|
|
sub.c \
|
|
|
|
sulog.c \
|
|
|
|
ttytype.c \
|
|
|
|
tz.c \
|
|
|
|
ulimit.c \
|
2009-05-19 00:02:17 +05:30
|
|
|
user_busy.c \
|
2007-10-07 17:14:38 +05:30
|
|
|
utmp.c \
|
|
|
|
valid.c \
|
* lib/prototypes.h, configure.in, libmisc/Makefile.am,
libmisc/xgetXXbyYY.c, libmisc/xgetpwnam.c, libmisc/xgetpwuid.c,
libmisc/xgetgrnam.c, libmisc/xgetgrgid.c, libmisc/xgetspnam.c:
Added functions xgetpwnam(), xgetpwuid(), xgetgrnam(),
xgetgrgid(), and xgetspnam(). They allocate memory for the
returned structure and are more robust to successive calls. They
are implemented with the libc's getxxyyy_r() functions if
available.
* libmisc/limits.c, libmisc/entry.c, libmisc/chowntty.c,
libmisc/addgrps.c, libmisc/myname.c, libmisc/rlogin.c,
libmisc/pwdcheck.c, src/newgrp.c, src/login_nopam.c,
src/userdel.c, src/lastlog.c, src/grpck.c, src/gpasswd.c,
src/newusers.c, src/chpasswd.c, src/chfn.c, src/groupmems.c,
src/usermod.c, src/expiry.c, src/groupdel.c, src/chgpasswd.c,
src/su.c, src/useradd.c, src/groupmod.c, src/passwd.c, src/pwck.c,
src/groupadd.c, src/chage.c, src/login.c, src/suauth.c,
src/faillog.c, src/groups.c, src/chsh.c, src/id.c: Review all the
usage of one of the getpwnam(), getpwuid(), getgrnam(),
getgrgid(), and getspnam() functions. It was noticed on
http://bugs.debian.org/341230 that chfn and chsh use a passwd
structure after calling a pam function, which result in using
information from the passwd structure requested by pam, not the
original one. It is much easier to use the new xget... functions
to avoid these issues. I've checked which call to the original
get... functions could be left (reducing the scope of the
structure if possible), and I've left comments to ease future
reviews (e.g. /* local, no need for xgetpwnam */).
Note: the getpwent/getgrent calls should probably be checked also.
* src/groupdel.c, src/expiry.c: Fix typos in comments.
* src/groupmod.c: Re-indent.
* libmisc/Makefile.am, lib/groupmem.c, lib/groupio.c, lib/pwmem.c,
lib/pwio.c, lib/shadowmem.c, lib/shadowio.c: Move the __<xx>_dup
functions (used by the xget... functions) from the <xx>io.c files
to the new <xx>mem.c files. This avoid linking some utils against
the SELinux library.
2007-11-19 04:45:26 +05:30
|
|
|
xgetpwnam.c \
|
|
|
|
xgetpwuid.c \
|
|
|
|
xgetgrnam.c \
|
|
|
|
xgetgrgid.c \
|
|
|
|
xgetspnam.c \
|
2007-12-26 22:20:38 +05:30
|
|
|
xmalloc.c \
|
|
|
|
yesno.c
|
2019-01-23 20:47:05 +05:30
|
|
|
|
|
|
|
if WITH_BTRFS
|
2021-02-01 10:14:09 +05:30
|
|
|
libmisc_la_SOURCES += btrfs.c
|
2019-01-23 20:47:05 +05:30
|
|
|
endif
|
|
|
|
|