From owner-freebsd-security@freebsd.org Sat Sep 3 02:31:11 2016 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id A6D32BCDB88 for ; Sat, 3 Sep 2016 02:31:11 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 37629D6D; Sat, 3 Sep 2016 02:31:10 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.15.2/8.15.2) with ESMTP id u832V7ou040323; Fri, 2 Sep 2016 22:31:08 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.15.2/8.14.4/Submit) id u832V68B040322; Fri, 2 Sep 2016 22:31:06 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <22474.13802.335507.240401@hergotha.csail.mit.edu> Date: Fri, 2 Sep 2016 22:31:06 -0400 From: Garrett Wollman To: Damian Weber Cc: freebsd-security@freebsd.org, emaste@freebsd.org Subject: Re: edit others user crontab, security bug In-Reply-To: References: <1472737438.3589865.712736753.5CFBB0DC@webmail.messagingengine.com> X-Mailer: VM 8.2.0b under 24.5.1 (amd64-portbld-freebsd10.3) X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Fri, 02 Sep 2016 22:31:08 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on hergotha.csail.mit.edu X-Mailman-Approved-At: Sat, 03 Sep 2016 03:55:06 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 03 Sep 2016 02:31:11 -0000 < said: > bsm/libbsm.h:#define AU_USER_NAME_MAX 50 That's fine, since it means that the user name in an audit record (i.e., output data) is bigger than what FreeBSD needs. > netsmb/smb.h:#define SMB_MAXUSERNAMELEN 128 Not sure that this matters for anything. > sys/param.h:#define MAXLOGNAME 33 /* max login name length > (incl. NUL) */ This is the one that matters. > sys/sysctl.h:#define USER_TZNAME_MAX 20 /* int: POSIX2_TZNAME_MA > X */ Not relevant. > limits.h:#define _POSIX_LOGIN_NAME_MAX 9 This is the POSIX "minimum maximum" -- i.e., all POSIX systems must support at least this value. > stdio.h:#define L_cuserid 17 /* size for cuserid(3); MAXLOGNAME, lega > cy */ Legacy interface that should not be used. > unistd.h:#define _SC_LOGIN_NAME_MAX 73 Because we do not define LOGIN_NAME_MAX, portable applications are required to use sysconf(3) to find out what {LOGIN_NAME_MAX} (i.e., the parameter, not the C-language macro) in the running system actually is. This is the "key" which allows them to retrieve that value; it is just an arbitrary integer (could be an enum if we went in for that sort of thing). I see now that this was fixed by emaste@ yesterday (r305269). I'm a bit disappointed that it was done using MAXLOGNAME, but looking at the way it's used in the code, fixing it to use the proper POSIX parameter {LOGIN_NAME_MAX} would require significant restructuring, since the arrays that are currently statically allocated would have to be replaced with dynamic allocations. There are other static limits in this old code that should probably also be replaced, for safety, but don't represent a problem currently. -GAWollman