From owner-freebsd-bugs@freebsd.org Sat Dec 23 22:21:03 2017 Return-Path: Delivered-To: freebsd-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 87E7BEA5CC9 for ; Sat, 23 Dec 2017 22:21:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 765707888F for ; Sat, 23 Dec 2017 22:21:03 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id vBNML3mS094085 for ; Sat, 23 Dec 2017 22:21:03 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 224556] pw(8) does not check semantics of name Date: Sat, 23 Dec 2017 22:21:03 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: 11.1-STABLE X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: bernard.steiner@de.lahmeyer.com X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.25 Precedence: list List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Dec 2017 22:21:03 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D224556 Bug ID: 224556 Summary: pw(8) does not check semantics of name Product: Base System Version: 11.1-STABLE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: bernard.steiner@de.lahmeyer.com DO NOT TRY THIS ON ANY COMPUTER. DO NOT TRY THIS AT WORK, NOR AT HOME. Just noticed the existence of pw(8). The man page led me to believe it might be "compatible" to the user managem= ent program which was present in DYNIX/ptx, circa 1990 (and nuked at least four systems back then). I herewith confirm the useradd part at least is "compatible" to this quarter-century-old bug. I believe a pw userdel with user names constructed from unchecked pathnames= of such compounds will be somewhat detrimental to the system in question when doing the equivalent of rm -rf to the home dir. Would someone with access to the source *please* urgently add checking to t= he "name" argument to deny dot, possibly dotdot, and probably also slash. --=20 You are receiving this mail because: You are the assignee for the bug.=