Hi,
this patch adds the new function xcheck_name()
void xcheck_name(const char *name)
{
int i = 0;
do {
if (!isalnum(*name)
&& !(*name == '_')
&& !(*name == '.')
&& !(*name == '@')
&& !(*name == '-' && i)
&& !(*name == '$' && !*(name + 1))
)
bb_error_msg_and_die("illegal character '%c'", *name);
i++;
} while (*++name);
}
to libbb that is used by adduser and addroup to check
for illegal characters in user and group names.
The rules enforced are:
the username should consist only of
letters, digits, underscores, periods, at signs and dashes,
and not start with a dash (as defined by IEEE Std 1003.1-2001).
For compatibility with Samba machine accounts $ is also supported
at the end of the username.
This feature is optional and off by default.
It can be turned on with the switch
Login/Password Management Utilities ---> [*] Enable sanity check on user and
group names in adduser and addgroup
that is visible only if adduser or addgroup are selected.
This menuconfig solution seems suboptimal to me
but iwas not able to find a better way.
Bloat-o-meter says:
scripts/bloat-o-meter busybox_old busybox_unstripped
function old new delta
xcheck_name - 88 +88
.rodata 118977 119000 +23
adduser_main 625 634 +9
addgroup_main 364 372 +8
UNSPEC_print 70 72 +2
cut_main 1047 1046 -1
get_next_line 145 143 -2
display_speed 96 91 -5
arith 2071 2062 -9
mainSort 2592 2560 -32
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 4/5 up/down: 130/-49) Total: 81 bytes
The patch applies to current svn, is tested a little
and seems to work for me.
Hints, critics and help by the list members are as always welcome. ;-)
Ciao,
Tito
--- busybox.orig/libbb/xcheck_name.c 1970-01-01 01:00:00.000000000 +0100
+++ busybox/libbb/xcheck_name.c 2008-02-29 22:44:18.000000000 +0100
@@ -0,0 +1,34 @@
+/* vi: set sw=4 ts=4: */
+/*
+ * Ckeck user and group names for illegal characters
+ *
+ * Copyright (C) 2008 Tito Ragusa <[EMAIL PROTECTED]>
+ *
+ * Licensed under GPLv2 or later, see file LICENSE in this tarball for details.
+ */
+
+#include "libbb.h"
+
+/* To avoid problems, the username should consist only of
+ * letters, digits, underscores, periods, at signs and dashes,
+ * and not start with a dash (as defined by IEEE Std 1003.1-2001).
+ * For compatibility with Samba machine accounts $ is also supported
+ * at the end of the username.
+ */
+
+void xcheck_name(const char *name)
+{
+ int i = 0;
+
+ do {
+ if (!isalnum(*name)
+ && !(*name == '_')
+ && !(*name == '.')
+ && !(*name == '@')
+ && !(*name == '-' && i)
+ && !(*name == '$' && !*(name + 1))
+ )
+ bb_error_msg_and_die("illegal character '%c'", *name);
+ i++;
+ } while (*++name);
+}
--- busybox.orig/libbb/Kbuild 2008-02-28 08:32:01.000000000 +0100
+++ busybox/libbb/Kbuild 2008-02-27 14:36:42.000000000 +0100
@@ -121,6 +119,7 @@
lib-$(CONFIG_SELINUX) += selinux_common.o
lib-$(CONFIG_HWCLOCK) += rtc.o
lib-$(CONFIG_RTCWAKE) += rtc.o
+lib-$(CONFIG_FEATURE_CHECK_NAMES) += xcheck_name.o
# We shouldn't build xregcomp.c if we don't need it - this ensures we don't
# require regex.h to be in the include dir even if we don't need it thereby
--- busybox.orig/include/libbb.h 2008-02-28 08:32:01.000000000 +0100
+++ busybox/include/libbb.h 2008-02-27 14:53:51.000000000 +0100
@@ -616,7 +608,9 @@
void clear_username_cache(void);
/* internally usernames are saved in fixed-sized char[] buffers */
enum { USERNAME_MAX_SIZE = 16 - sizeof(int) };
-
+#if ENABLE_FEATURE_CHECK_NAMES
+void xcheck_name(const char* name);
+#endif
int execable_file(const char *name);
char *find_execable(const char *filename);
--- busybox.orig/loginutils/adduser.c 2008-02-20 16:53:29.000000000 +0100
+++ busybox/loginutils/adduser.c 2008-03-01 23:00:28.000000000 +0100
@@ -111,6 +111,10 @@
/* fill in the passwd struct */
pw.pw_name = argv[0];
+#if ENABLE_FEATURE_CHECK_NAMES
+ /* Check username for illegal characters. */
+ xcheck_name(pw.pw_name);
+#endif
if (!pw.pw_dir) {
/* create string for $HOME if not specified already */
pw.pw_dir = xasprintf("/home/%s", argv[0]);
--- busybox.orig/loginutils/addgroup.c 2007-10-29 21:44:04.000000000 +0100
+++ busybox/loginutils/addgroup.c 2008-03-01 23:03:32.000000000 +0100
@@ -173,8 +173,14 @@
#endif /* ENABLE_FEATURE_SHADOWPASSWDS */
} else
#endif /* ENABLE_FEATURE_ADDUSER_TO_GROUP */
+ {
+#if ENABLE_FEATURE_CHECK_NAMES
+ /* Check group name for illegal characters. */
+ xcheck_name(argv[0]);
+#endif /* ENABLE_FEATURE_CHECK_NAMES */
new_group(argv[0], gid);
+ }
/* Reached only on success */
return EXIT_SUCCESS;
}
--- busybox.orig/loginutils/Config.in 2008-02-20 16:53:29.000000000 +0100
+++ busybox/loginutils/Config.in 2008-02-29 22:30:23.000000000 +0100
@@ -82,6 +82,18 @@
If called with two non-option arguments, deluser
or delgroup will remove an user from a specified group.
+config FEATURE_CHECK_NAMES
+ bool "Enable sanity check on user and group names in adduser and addgroup"
+ default n
+ depends on ADDUSER || ADDGROUP
+ help
+ Enable sanity check on user and group names in adduser and addgroup.
+ To avoid problems, the user or group name should consist only of
+ letters, digits, underscores, periods, at signs and dashes,
+ and not start with a dash (as defined by IEEE Std 1003.1-2001).
+ For compatibility with Samba machine accounts \$ is also supported
+ at the end of the user or group name.
+
config ADDUSER
bool "adduser"
default n
_______________________________________________
busybox mailing list
[email protected]
http://busybox.net/cgi-bin/mailman/listinfo/busybox
