[ovs-dev,v2] lib: protect daemon_set_new_user against non existing user:group specs

From the manpages of getgrnam_r (getpwnam_r is similar):
"If no matching group record was found, these functions return 0 and
store NULL in *result."

The code checked only against errors, but non existing users didn't set
e != 0 therefore the code could try to set arbitrary uid/gid values.

*Update in v2*
fix wrong pointer usage of *res and running full set of unit tests to be sure.

Fixes: e91b927d lib/daemon: support --user option for all OVS daemon

Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
---
 lib/daemon-unix.c | 7 +++++++
 1 file changed, 7 insertions(+)

Aarons last patch reminded me that we didn't went on on the fixed patch for
this code path that Aaron just modified.
So giving this a bump to show up again.

Christian Ehrhardt
Software Engineer, Ubuntu Server
Canonical Ltd

On Mon, Apr 25, 2016 at 2:12 AM, Christian Ehrhardt <
christian.ehrhardt@canonical.com> wrote:

> From the manpages of getgrnam_r (getpwnam_r is similar):
> "If no matching group record was found, these functions return 0 and
> store NULL in *result."
>
> The code checked only against errors, but non existing users didn't set
> e != 0 therefore the code could try to set arbitrary uid/gid values.
>
> *Update in v2*
> fix wrong pointer usage of *res and running full set of unit tests to be
> sure.
>
> Fixes: e91b927d lib/daemon: support --user option for all OVS daemon
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
> ---
>  lib/daemon-unix.c | 7 +++++++
>  1 file changed, 7 insertions(+)
>
> diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
> index 182f76b..28f76da 100644
> --- a/lib/daemon-unix.c
> +++ b/lib/daemon-unix.c
> @@ -972,6 +972,9 @@ daemon_set_new_user(const char *user_spec)
>              VLOG_FATAL("%s: Failed to retrive user %s's uid (%s),
> aborting.",
>                         pidfile, user, ovs_strerror(e));
>          }
> +        if (res == NULL) {
> +            VLOG_FATAL("%s: user %s not found, aborting.", pidfile, user);
> +        }
>      } else {
>          /* User name is not specified, use current user.  */
>          while ((e = getpwuid_r(uid, &pwd, buf, bufsize, &res)) == ERANGE)
> {
> @@ -1012,6 +1015,10 @@ daemon_set_new_user(const char *user_spec)
>                             "(%s), aborting.", pidfile, grpstr,
>                             ovs_strerror(e));
>              }
> +            if (res == NULL) {
> +                VLOG_FATAL("%s: group %s not found, aborting.", pidfile,
> +                           grpstr);
> +            }
>
>              if (gid != grp.gr_gid) {
>                  char **mem;
> --
> 2.7.4
>
>

Christian Ehrhardt <christian.ehrhardt@canonical.com> writes:

> Aarons last patch reminded me that we didn't went on on the fixed patch for
> this code path that Aaron just modified.
> So giving this a bump to show up again.
>
> Christian Ehrhardt
> Software Engineer, Ubuntu Server
> Canonical Ltd
>
> On Mon, Apr 25, 2016 at 2:12 AM, Christian Ehrhardt <
> christian.ehrhardt@canonical.com> wrote:
>
>> From the manpages of getgrnam_r (getpwnam_r is similar):
>> "If no matching group record was found, these functions return 0 and
>> store NULL in *result."
>>
>> The code checked only against errors, but non existing users didn't set
>> e != 0 therefore the code could try to set arbitrary uid/gid values.
>>
>> *Update in v2*
>> fix wrong pointer usage of *res and running full set of unit tests to be
>> sure.
>>
>> Fixes: e91b927d lib/daemon: support --user option for all OVS daemon
>>
>> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>
>> ---

Cool! From my recent series (in the ovs_strtousr function):

+    if (e != 0 || !res) {
+        if (!res) e = ENOENT;
+        VLOG_ERR("Failed to retrieve user pwentry (%s), aborting.",
+                 ovs_strerror(e));
+        goto release;
+    }

I think I did testing with the ovs_strtousr function, and figured I
missed the check when moving it over.

>>  lib/daemon-unix.c | 7 +++++++
>>  1 file changed, 7 insertions(+)
>>
>> diff --git a/lib/daemon-unix.c b/lib/daemon-unix.c
>> index 182f76b..28f76da 100644
>> --- a/lib/daemon-unix.c
>> +++ b/lib/daemon-unix.c
>> @@ -972,6 +972,9 @@ daemon_set_new_user(const char *user_spec)
>>              VLOG_FATAL("%s: Failed to retrive user %s's uid (%s),
>> aborting.",
>>                         pidfile, user, ovs_strerror(e));
>>          }
>> +        if (res == NULL) {
>> +            VLOG_FATAL("%s: user %s not found, aborting.", pidfile, user);
>> +        }
>>      } else {
>>          /* User name is not specified, use current user.  */
>>          while ((e = getpwuid_r(uid, &pwd, buf, bufsize, &res)) == ERANGE)
>> {
>> @@ -1012,6 +1015,10 @@ daemon_set_new_user(const char *user_spec)
>>                             "(%s), aborting.", pidfile, grpstr,
>>                             ovs_strerror(e));
>>              }
>> +            if (res == NULL) {
>> +                VLOG_FATAL("%s: group %s not found, aborting.", pidfile,
>> +                           grpstr);
>> +            }
>>
>>              if (gid != grp.gr_gid) {
>>                  char **mem;
>> --
>> 2.7.4
>>
>>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev

On Mon, Apr 25, 2016 at 09:12:19AM +0200, Christian Ehrhardt wrote:
> From the manpages of getgrnam_r (getpwnam_r is similar):
> "If no matching group record was found, these functions return 0 and
> store NULL in *result."
> 
> The code checked only against errors, but non existing users didn't set
> e != 0 therefore the code could try to set arbitrary uid/gid values.
> 
> *Update in v2*
> fix wrong pointer usage of *res and running full set of unit tests to be sure.
> 
> Fixes: e91b927d lib/daemon: support --user option for all OVS daemon
> 
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt@canonical.com>

Thanks, applied to master and branch-2.5.