Seems like it will fail to handle usernames with "-", ".", or "_" in the name?
Should compare this exclusion list against what "adduser" does. src/daemon.c:
re = g_regex_new ("(?P<username>[0-9a-zA-Z]+)[
]+(?P<frequency>[0-9]+)", 0, 0, &error);
daemon_create_user_authorized_cb() lacks a "--" in the argument builder, so
accounts with a leading dash will be taken as an argument:
argv[4] = cd->user_name;
Additionally, nothing validates the contents of user_name and real_name
("useradd" should, but best to do _some_ sanity checking).
daemon_delete_user_authorized_cb() lacks "--" in argument builder too.
In fact, all the spawned cb()'s lack the "--" separator (see user.c too).
I see no way for the daemon to shut down during a package upgrade (and
the associated postinst to perform that). This should be an MIR
requirement for all D-Bus daemon, IMO.
And I would agree: it's not okay for the password hint to be sent over
the system bus.
I can't see how user_set_icon_file() is actually called, but contains a few
problems:
- source file is examined with root privileges (size, mode)
- ToCToU on file size (checks first, then performs copy; file size can change
between the two)
- missing "--" in the spawn again
user_change_password_authorized_cb expects the crypted password to be
sent over D-Bus. This is not okay since even the encrypted password is
considered private (hence /etc/shadow), though this is what system-
tools-backends did before, IIRC (also, holy cow, did s-t-b revert to
sending passwords in the clear over D-Bus??). (Not sure what calls
user_set_password though.) What is generating the crypted password? Is
it respecting the settings in /etc/login.defs ?
Anyway, that's enough for now. This stuff should get fixed before this
goes into main.
** Changed in: accountsservice (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => Didier Roche (didrocks)
** Changed in: accountsservice (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/785680
Title:
[MIR] accountsservice
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/accountsservice/+bug/785680/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
