Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.devel > #114621
| From | Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu> |
|---|---|
| Newsgroups | linux.debian.devel |
| Subject | Re: Musings about Usernames in adduser and Debian |
| Date | 2024-12-08 21:40 +0100 |
| Message-ID | <JRwel-eY2s-9@gated-at.bofh.it> (permalink) |
| Organization | linux.* mail to news gateway |
Hi everyone! I second calling it "allow-unsafe-names" for the following reasons: 1. Many programs assume that usernames are so inert that they can be used in shell strings without proper escaping. For example, a user named $(touch /tmp/pwn) will create /tmp/pwn upon the first launch of an interactive bash, because the default bash PS1 interpolates the username before doing command substitution. adduser doesn't allow whitespace or forward slashes in usernames, even with --allow-all-names, but you can still get the same behavior with the username $(>`printf$IFS"\x2ftmp\x2fpwn"`). How this works is left as an exercise for the reader. Once you figure it out, see if you can out-golf us :) 2. There's a path traversal bug in useradd (but not adduser) that can be triggered by usernames beginning with "../". For example, for the username "../bin/brangal", useradd will create a home directory at /home/../bin/brangal (i.e. /bin/brangal). This can be used to place a directory owned by the new user nearly anywhere on the system. -Ben Kallus && Jonah Weinbaum
Back to linux.debian.devel | Previous | Next — Next in thread | Find similar | Unroll thread
Re: Musings about Usernames in adduser and Debian Ben Kallus <benjamin.p.kallus.gr@dartmouth.edu> - 2024-12-08 21:40 +0100
Re: Musings about Usernames in adduser and Debian Chris Hofstaedtler <zeha@debian.org> - 2024-12-09 18:10 +0100
Re: Musings about Usernames in adduser and Debian Marc Haber <mh+debian-devel@zugschlus.de> - 2024-12-09 21:30 +0100
csiph-web