From: Sören Tempel <[email protected]> On Alpine, some users use /dev/null as a home directory. When removing such a user with `deluser --remove-home` this causes the /dev/null device file to be removed which is undesirable. To prevent this pitfall, check if the home directory specified for the user is an actual directory (or a symlink to a directory).
Implementations of similar tools for other operating systems also implement such checks. For instance, the OpenBSD rmuser(1) implementation [0]. [0]: https://github.com/openbsd/src/blob/b69faa6c70c5bfcfdddc6138cd8e0ee18cc15b03/usr.sbin/adduser/rmuser.perl#L143-L151 --- loginutils/deluser.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/loginutils/deluser.c b/loginutils/deluser.c index 56bc7eaa6..585e82090 100644 --- a/loginutils/deluser.c +++ b/loginutils/deluser.c @@ -99,8 +99,15 @@ int deluser_main(int argc, char **argv) pfile = bb_path_passwd_file; if (ENABLE_FEATURE_SHADOWPASSWDS) sfile = bb_path_shadow_file; - if (opt_delhome) - remove_file(pw->pw_dir, FILEUTILS_RECUR); + if (opt_delhome) { + struct stat st; + + /* Make sure home is an actual directory before + * removing it (e.g. users with /dev/null as home) */ + xstat(pw->pw_dir, &st); + if (S_ISDIR(st.st_mode)) + remove_file(pw->pw_dir, FILEUTILS_RECUR); + } } else { struct group *gr; do_delgroup: _______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
