acassis commented on code in PR #13221: URL: https://github.com/apache/nuttx/pull/13221#discussion_r1734781136
########## libs/libc/pwd/lib_getspnamr.c: ########## @@ -0,0 +1,183 @@ +/**************************************************************************** + * libs/libc/pwd/lib_getspnamr.c + * + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. The + * ASF licenses this file to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance with the + * License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + * License for the specific language governing permissions and limitations + * under the License. + * + ****************************************************************************/ + +/**************************************************************************** + * Included Files + ****************************************************************************/ + +#include <nuttx/config.h> + +#include <stdio.h> +#include <string.h> +#include <shadow.h> + +/**************************************************************************** + * Private Functions + ****************************************************************************/ + +/* This implementation support Openwall-style TCB passwords in place of + * traditional shadow, if the appropriate directories and files exist. + * Thus, it is careful to avoid following symlinks or blocking on fifos + * which a malicious user might create in place of his or her TCB shadow + * file. It also avoids any allocation to prevent memory-exhaustion + * attacks via huge TCB shadow files + */ + +static long xatol(FAR char **s) +{ + if (**s == ':' || **s == '\n') + { + return -1; + } + + return strtol(*s, &(*s), 10); +} + +static int parsespent(FAR char *s, FAR struct spwd *sp) +{ + sp->sp_namp = s; + if (!(s = strchr(s, ':'))) + { + return -1; + } + + *s = 0; + sp->sp_pwdp = ++s; + if (!(s = strchr(s, ':'))) + { + return -1; + } + + *s = 0; + s++; + sp->sp_lstchg = xatol(&s); + if (*s != ':') + { + return -1; + } + + s++; + sp->sp_min = xatol(&s); + if (*s != ':') + { + return -1; + } + + s++; + sp->sp_max = xatol(&s); + if (*s != ':') + { + return -1; + } + + s++; + sp->sp_warn = xatol(&s); + if (*s != ':') + { + return -1; + } + + s++; + sp->sp_inact = xatol(&s); + if (*s != ':') + { + return -1; + } + + s++; + sp->sp_expire = xatol(&s); + if (*s != ':') + { + return -1; + } + + s++; + sp->sp_flag = xatol(&s); + if (*s != '\n') + { + return -1; + } + + return 0; +} + +/**************************************************************************** + * Public Functions + ****************************************************************************/ + +int getspnam_r(FAR const char *name, FAR struct spwd *sp, FAR char *buf, + size_t size, FAR struct spwd **res) +{ + size_t l = strlen(name); + size_t k; + FAR FILE *f; + int skip = 0; + + *res = NULL; + + /* Disallow potentially-malicious user names */ + + if (*name == '.' || strchr(name, '/') || l == 0) + { + set_errno(EINVAL); + return -1; + } + + /* Buffer size must at least be able to hold name, plus some.. */ + + if (size < l + 100) Review Comment: Please don't use hard-coded value (100), define a symbol to store this value, or get it from the right CONFIG_ ########## libs/libc/pwd/lib_pwd.h: ########## @@ -37,12 +38,14 @@ # define CONFIG_LIBC_PASSWD_LINESIZE 80 #endif -#define ROOT_NAME "root" -#define ROOT_UID 0 -#define ROOT_GID 0 -#define ROOT_GEOCS "root" -#define ROOT_DIR "/root" -#define ROOT_SHELL "/bin/nsh" +#define ROOT_NAME "root" +#define ROOT_UID 0 +#define ROOT_GID 0 +#define ROOT_GEOCS "root" +#define ROOT_DIR "/root" +#define ROOT_SHELL "/bin/nsh" +#define ROOT_PASSWD "root" +#define ROOT_PWDP "$1$123$SGj4CnC7VtiFx.tjjtazK1" Review Comment: Please don't store fixed/hard-coded password, get it from /etc/passwd search how it is done currently and compared against user configured CONFIG_NSH_LOGIN_PASSWORD -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@nuttx.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
