From d3b8c0723d0d691585474b0e14982f62b115a672 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Mon, 8 Jan 2024 21:59:23 +0100 Subject: pam_unix: do not truncate user names This could allow users with very long names to impersonate a user with a 255 characters long name. The check if the argument argv[1] actually matches the user name implies that "user" can unconditionally be set to argv[1]: If they are equal, the strings are obviously equal. If they are not or if null is returned by getuidname, "user" is set to argv[1] anyway. This way, the static buffer can be safely removed because the result of getpwuid() is not stored, which means that subsequent calls to such functions can safely overwrite their internal buffers. Signed-off-by: Tobias Stoeckmann --- modules/pam_unix/passverify.c | 6 +----- modules/pam_unix/unix_chkpwd.c | 2 +- 2 files changed, 2 insertions(+), 6 deletions(-) (limited to 'modules/pam_unix') diff --git a/modules/pam_unix/passverify.c b/modules/pam_unix/passverify.c index c48e3c5a..c6515a65 100644 --- a/modules/pam_unix/passverify.c +++ b/modules/pam_unix/passverify.c @@ -1190,16 +1190,12 @@ char * getuidname(uid_t uid) { struct passwd *pw; - static char username[256]; pw = getpwuid(uid); if (pw == NULL) return NULL; - strncpy(username, pw->pw_name, sizeof(username)); - username[sizeof(username) - 1] = '\0'; - - return username; + return pw->pw_name; } #endif diff --git a/modules/pam_unix/unix_chkpwd.c b/modules/pam_unix/unix_chkpwd.c index 556a2e2c..50570dbc 100644 --- a/modules/pam_unix/unix_chkpwd.c +++ b/modules/pam_unix/unix_chkpwd.c @@ -138,11 +138,11 @@ int main(int argc, char *argv[]) /* if the caller specifies the username, verify that user matches it */ if (user == NULL || strcmp(user, argv[1])) { - user = argv[1]; /* no match -> permanently change to the real user and proceed */ if (setuid(getuid()) != 0) return PAM_AUTH_ERR; } + user = argv[1]; } option=argv[2]; -- cgit v1.2.3