[PATCH] libnss_winbind: getpwuid does not handle zombie uids
buc at odusz.so-cdu.ru
Wed Oct 24 15:08:35 GMT 2007
When getpwuid(3) function is called with a nonexistent uid, it should
return an error (either NULL pointer of -1 for getpwnam_r() ).
There are many cases where getpwnam() is called such a way.
For example: when you run "ls -l" in the directory of a just deleted
user. Since the user is deleted, its name is no more valid, thus "ls -l"
shows just numbers in the field of a username (or group), i.e.
-rwxr-xr-x 1 1000 users 1234567 Oct 24 18:45 filename
-rwxr-xr-x 1 foo users 1234567 Oct 24 18:45 filename
because the user "foo" was deleted (no more present in /etc/passwd or
some NSS base).
libnss_winbind.so module from Samba-3.0.26a (and perhaps earlier too)
does not handle such situations properly. Instead of returning of NULL
(or -1), getpwnam() returns a passwd struct with an empty ("") username,
gid of 0, and template homedir and shell.
For example (consider 1000 as such a nonexistent uid number):
> getent passwd 1000
with exit code of 0, instead of return nothing with exit code of 2
> ls -l filename
> -rwxr-xr-x 1 users 1234567 Oct 24 18:45 filename
> -rwxr-xr-x 1 1000 users 1234567 Oct 24 18:45 filename
i.e. the output contains less fields than expected.
It can be dangerous, as a lot of user scripts (and perhaps some system
scripts) might expect the exact amount of non-empty fields in "ls -l "
Moreover, the primary gid of such a "user" is returned as "0" (root
group), which seems dangerous too.
I've tested this bug a little and have made a patch (attached) which
resolves this issue for me.
It seems that query_user_recv() routine just had forgotten to check
"response->result" (as all another similar callbacks always do).
Don't know, whether it is a "Security" issue or not... :-/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 683 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20071024/736c1fb9/samba-3.0.26a-getpwuid.bin
More information about the samba-technical