On Wed, Dec 30, 2020 at 09:08:53AM -0700, Todd C. Miller wrote:
>[...]
> Yes, that should be checked. In the case of login_passwd.c there
> is really no reason to use auth_mkvalue(3) at all as there is nothing
> that needs to be escaped. I think the simplest approach is to send
> a reject message if there is a memory allocation error.
>
> - todd
>
> Index: login_passwd/login_passwd.c
> ===================================================================
> RCS file: /cvs/src/libexec/login_passwd/login_passwd.c,v
> retrieving revision 1.18
> diff -u -p -u -r1.18 login_passwd.c
> --- login_passwd/login_passwd.c 15 May 2020 17:25:39 -0000 1.18
> +++ login_passwd/login_passwd.c 30 Dec 2020 16:05:30 -0000
> @@ -121,7 +121,7 @@ main(int argc, char *argv[])
> }
> if (wheel != NULL && strcmp(wheel, "yes") != 0) {
> fprintf(back, BI_VALUE " errormsg %s\n",
> - auth_mkvalue("you are not in group wheel"));
> + "you are not in group wheel");
> fprintf(back, BI_REJECT "\n");
> exit(1);
> }
>[...]
It could, of course, just use a fixed string rather than the "%s" format,
although the latter is certainly clear(er) and consistent.
With auth_mkvalue() not being used, I don't think it needs to include
<bsd_auth.h> any more.
Thanks,
Ross
