Re: Password corruption in adduser

2017-02-06 Thread Theo Buehler 
On Mon, Feb 06, 2017 at 11:04:02AM +, Raf Czlonka wrote:
> Hi all,
> 
> How about doing it throughout the tree[0]?
> 
> [0] http://marc.info/?m=142689311221135

Thanks. Most of those are already fixed (or have been removed). I found
and fixed the one in smtpd/table.5 right after fixing this one and the
only $2a$ hash remaining is in ssh/auth.c, which I'll leave to others.
You may want to submit it as a separate patch.

Re: Password corruption in adduser

2017-02-06 Thread Raf Czlonka 
Hi all,

How about doing it throughout the tree[0]?

[0] http://marc.info/?m=142689311221135

Cheers,

Raf

On Mon, Feb 06, 2017 at 05:53:22AM GMT, Theo Buehler wrote:
> On Sun, Feb 05, 2017 at 09:47:35PM -0800, Philip Guenther wrote:
> > On Sun, 5 Feb 2017, John McGuigan wrote:
> > > I've noticed something strange in adduser -- when attempting to add a 
> > > user completely though command line argument it seems to corrupt the 
> > > entry in /etc/master.passwd.
> > > 
> > > Example:
> > > 
> > > $ echo "HorseBatteryStaple" | encrypt
> > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> > > 
> > > # adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> > > -message no -batch some.user "" "Some User" \
> > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> > > Added user ``some.user''
> > ...
> > > some.user:b/bin/ksh9/9uoOrbTRaf//3ZprAb9k.hOpfe9vYVqjf1a:5000:5000:: \
> > > 0:0:Some User:/home/some.user:/bin/ksh
> > > 
> > > As you can see the password entry gets corrupted with a 'b/bin/ksh...'
> > 
> > Let's see what the adduser command is seeing by passing that all to 'echo' 
> > instead:
> > 
> > # echo \
> > > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> > > -message no -batch some.user "" "Some User" \
> > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh -message 
> > no -batch some.user  Some User b/bin/ksh9/FGXw.9oNjr3BLTS7DJp5n4M2
> > #
> > 
> > Ah, so the expansion is happening *outside* of adduser...in the shell.  
> > Yes, the shell does variable expansion even if the dollar-sign is in the 
> > middle of a word, so it's expanding the variables
> > $2  --> ""
> > $0  --> "/bin/ksh"
> > $ssZSLC6laHsTS7O2FwJ4Mufw6mSS   --> ""
> > 
> > 
> > > Behavior *is* present when hash is wrapped in "
> > 
> > Sure, because double-quotes only stop file-globbing and field splitting 
> > and not variable expansion.  You need single quotes for that:
> > 
> > # echo \
> > > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> > > -message no -batch some.user "" "Some User" \
> > > '$2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2'
> > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh -message 
> > no -batch some.user  Some User 
> > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> > #
> 
> The adduser.8 manual page has an example with no quotes in it, so we
> should fix that.  Also, let's use a new hash using $2b$ instead of $2a$.
> 
> Index: adduser.8
> ===
> RCS file: /var/cvs/src/usr.sbin/adduser/adduser.8,v
> retrieving revision 1.44
> diff -u -p -r1.44 adduser.8
> --- adduser.8 24 Dec 2015 16:54:37 -  1.44
> +++ adduser.8 6 Feb 2017 05:49:00 -
> @@ -373,7 +373,7 @@ The password has been created using
>  .Xr encrypt 1 :
>  .Bd -literal -offset indent
>  # adduser -batch falken guest,staff,beer 'Prof. Falken' \e
> -$2a$06$1Sdjxjoxg4cNmT6zAxriGOLgdLXQ3HdJ2dKBbzEk68jSrO1EtLJ3C
> +'$2b$10$aOadQNznQ1YJFnqNaRRneOvYvZAEO7atYiTND3EsLf6afHT5t1UIK'
>  .Ed
>  .Pp
>  Create user
>

Re: Password corruption in adduser

2017-02-05 Thread Bob Beck 
ok beck@
On Sun, Feb 5, 2017 at 22:53 Theo Buehler  wrote:

> On Sun, Feb 05, 2017 at 09:47:35PM -0800, Philip Guenther wrote:
> > On Sun, 5 Feb 2017, John McGuigan wrote:
> > > I've noticed something strange in adduser -- when attempting to add a
> > > user completely though command line argument it seems to corrupt the
> > > entry in /etc/master.passwd.
> > >
> > > Example:
> > >
> > > $ echo "HorseBatteryStaple" | encrypt
> > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> > >
> > > # adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> > > -message no -batch some.user "" "Some User" \
> > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> > > Added user ``some.user''
> > ...
> > > some.user:b/bin/ksh9/9uoOrbTRaf//3ZprAb9k.hOpfe9vYVqjf1a:5000:5000:: \
> > > 0:0:Some User:/home/some.user:/bin/ksh
> > >
> > > As you can see the password entry gets corrupted with a 'b/bin/ksh...'
> >
> > Let's see what the adduser command is seeing by passing that all to
> 'echo'
> > instead:
> >
> > # echo \
> > > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> > > -message no -batch some.user "" "Some User" \
> > > $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh
> -message no -batch some.user  Some User b/bin/ksh9/FGXw.9oNjr3BLTS7DJp5n4M2
> > #
> >
> > Ah, so the expansion is happening *outside* of adduser...in the shell.
> > Yes, the shell does variable expansion even if the dollar-sign is in the
> > middle of a word, so it's expanding the variables
> >   $2  --> ""
> >   $0  --> "/bin/ksh"
> >   $ssZSLC6laHsTS7O2FwJ4Mufw6mSS   --> ""
> >
> >
> > > Behavior *is* present when hash is wrapped in "
> >
> > Sure, because double-quotes only stop file-globbing and field splitting
> > and not variable expansion.  You need single quotes for that:
> >
> > # echo \
> > > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
> > > -message no -batch some.user "" "Some User" \
> > > '$2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2'
> > adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh
> -message no -batch some.user  Some User
> $2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
> > #
>
> The adduser.8 manual page has an example with no quotes in it, so we
> should fix that.  Also, let's use a new hash using $2b$ instead of $2a$.
>
> Index: adduser.8
> ===
> RCS file: /var/cvs/src/usr.sbin/adduser/adduser.8,v
> retrieving revision 1.44
> diff -u -p -r1.44 adduser.8
> --- adduser.8   24 Dec 2015 16:54:37 -  1.44
> +++ adduser.8   6 Feb 2017 05:49:00 -
> @@ -373,7 +373,7 @@ The password has been created using
>  .Xr encrypt 1 :
>  .Bd -literal -offset indent
>  # adduser -batch falken guest,staff,beer 'Prof. Falken' \e
> -$2a$06$1Sdjxjoxg4cNmT6zAxriGOLgdLXQ3HdJ2dKBbzEk68jSrO1EtLJ3C
> +'$2b$10$aOadQNznQ1YJFnqNaRRneOvYvZAEO7atYiTND3EsLf6afHT5t1UIK'
>  .Ed
>  .Pp
>  Create user
>
>

Password corruption in adduser

2017-02-05 Thread John McGuigan 
Hi all,

I've noticed something strange in adduser -- when attempting to add a
user completely though command line argument it seems to corrupt the
entry in /etc/master.passwd.

Example:

$ echo "HorseBatteryStaple" | encrypt
$2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2

# adduser -silent -noconfig -uid_start 5000 -group USER -shell ksh \
-message no -batch some.user "" "Some User" \
$2b$09$ssZSLC6laHsTS7O2FwJ4Mufw6mSS/FGXw.9oNjr3BLTS7DJp5n4M2
Added user ``some.user''

# vipw

...
some.user:b/bin/ksh9/9uoOrbTRaf//3ZprAb9k.hOpfe9vYVqjf1a:5000:5000:: \
0:0:Some User:/home/some.user:/bin/ksh
...

As you can see the password entry gets corrupted with a 'b/bin/ksh...'

This behavior does not occur with -unencrypted.

Behavior *is* present when hash is wrapped in "

Take care,

John