> On 2. Jul 2017, at 8:59 PM, Ted Unangst <t...@tedunangst.com> wrote:
> 
> If the username starts with a digit, but isn't a number, treat it like root.

I question the simplicity of this patch due to the fact that it leaves
no head room for further security-related regressions.  Maybe more
progressive over-engineering of the code is a better course of action.

> 
> Index: doas.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/doas/doas.c,v
> retrieving revision 1.72
> diff -u -p -r1.72 doas.c
> --- doas.c    27 May 2017 09:51:07 -0000      1.72
> +++ doas.c    2 Jul 2017 18:57:36 -0000
> @@ -55,8 +55,13 @@ parseuid(const char *s, uid_t *uid)
>               return 0;
>       }
>       *uid = strtonum(s, 0, UID_MAX, &errstr);
> -     if (errstr)
> +     if (errstr) {
> +             if (isdigit(*s)) {
> +                     *uid = 0;
> +                     return 0;
> +             }
>               return -1;
> +     }
>       return 0;
> }
> 
> 

Reply via email to