[PATCH] libnss_winbind: getpwuid does not handle zombie uids properly

Dmitry Butskoy buc at odusz.so-cdu.ru
Wed Oct 24 15:08:35 GMT 2007 

When getpwuid(3) function is called with a nonexistent uid, it should 
return an error (either NULL pointer of -1 for getpwnam_r() ).

There are many cases where getpwnam() is called such a way.

For example: when you run "ls -l" in the directory of a just deleted 
user. Since the user is deleted, its name is no more valid, thus "ls -l" 
shows just numbers in the field of a username (or group), i.e.

-rwxr-xr-x   1     1000  users   1234567   Oct 24 18:45   filename

instead of:

-rwxr-xr-x   1     foo  users   1234567   Oct 24 18:45   filename

because the user "foo" was deleted (no more present in /etc/passwd or 
some NSS base).


libnss_winbind.so module from Samba-3.0.26a (and perhaps earlier too) 
does not handle such situations properly. Instead of returning of NULL 
(or -1), getpwnam() returns a passwd struct with an empty ("") username, 
gid of 0, and template homedir and shell.

For example (consider 1000 as such a nonexistent uid number):
> getent  passwd  1000
returns
> :*:1000:0::/home/:/bin/bash
with exit code of 0, instead of return nothing with exit code of 2


> ls -l filename
returns
> -rwxr-xr-x   1       users   1234567   Oct 24 18:45   filename
instead of
> -rwxr-xr-x   1     1000  users   1234567   Oct 24 18:45   filename
i.e. the output contains less fields than expected.


It can be dangerous, as a lot of user scripts (and perhaps some system 
scripts) might expect the exact amount of non-empty fields in "ls -l " 
output.

Moreover, the primary gid of such a "user" is returned as "0" (root 
group), which seems dangerous too.


I've tested this bug a little and have made a patch (attached) which 
resolves this issue for me.

It seems that query_user_recv() routine just had forgotten to check 
"response->result" (as all another similar callbacks always do).

Don't know, whether it is a "Security" issue or not... :-/


Regards,
Dmitry Butskoy

-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-3.0.26a-getpwuid.patch
Type: text/x-diff
Size: 683 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20071024/736c1fb9/samba-3.0.26a-getpwuid.bin

More information about the samba-technical mailing list