Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 63211 - Bad username passed by nss_ldap to OpenLDAP causes latter to crash
Summary: Bad username passed by nss_ldap to OpenLDAP causes latter to crash
Status: RESOLVED WORKSFORME
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Library (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-08 03:30 UTC by Lazar Obradovic
Modified: 2005-01-07 03:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
This is a patch for nss_ldap to validate usernames before passing to OpenLDAP. (nss_ldap-220-username-check.diff,1.59 KB, patch)
2004-09-08 04:13 UTC, Lazar Obradovic
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Lazar Obradovic 2004-09-08 03:30:24 UTC
Application trying to do getpwnam() on bad username (ie, too long username,  or with invalid chars) causes OpenLDAP to crash. 

This might be an failure of OpenLDAP search function, but nss_ldap *must* validate username before passing it to LDAP backend. 



Reproducible: Always
Steps to Reproduce:
1. do 
# id "$(dd if=/dev/urandom bs=100 count=1)"

on a system using nss_ldap with OpenLDAP. 

Actual Results:  
OpenLDAP crashed and had to be restarted.

Expected Results:  
nss_ldap should never pass invalid username to OpenLDAP.
Comment 1 Lazar Obradovic 2004-09-08 04:13:53 UTC
Created attachment 39190 [details, diff]
This is a patch for nss_ldap to validate usernames before passing to OpenLDAP.

Function is_valid_username() taken from popa3d. 

PADL team has been notified, but it seems that they haven't reacted yet.

This is a patch for 220 version of nss_ldap, but it works with 213 and later.
Comment 2 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-09-08 13:48:21 UTC
that is_valid_username() function is not correct, for several reasons:
the standard unix character set for usernames is: 
[-.$_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

[a-z] does NOT expand to all 26 characters in some locales. This has caused lots of problems for those locales. See http://bugs.gentoo.org/show_bug.cgi?id=17051#c20 for this history of this.

However I'm also aware of sites that use UTF8 for usernames, as they usernames with hirigana glyphs, so this problem is much harder.

A proper validation function is needed for usernames here.

p.s. are the nssldap folk aware of this bug? if not, please point them here.
Comment 3 Jaco Kroon 2004-11-15 10:42:11 UTC
Shouldn't PAM itself take care of this?  Ie, shouldn't PAM validate user names *before* passing it to the individual pam modules?
Comment 4 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-11-30 16:13:38 UTC
I think the system should be validating usernames before passing them on to nss/pam modules....
Comment 5 SpanKY gentoo-dev 2004-11-30 16:41:39 UTC
why ?
you can easily break openldap by using some other communication method than nss_ldap

i say fix openldap rather than trying to figure out what is valid in the upper layers
Comment 6 Jaco Kroon 2004-12-01 21:27:04 UTC
How about fixing both - yes OpenLDAP should not crash, no matter what (same principle as the kernel or X or any other service for that matter - no matter what you throw at it, it should not break).  However, PAM should also validate usernames before passing them onto PAM modules, that just makes sense, both for efficiency and security - you can't control who is going to write their own PAM modules and possibly screw up.

btw, useradd has been complaining off lately about uppercase usernames - are uppercases still allowed?

pug root # useradd TesTy
useradd: invalid user name 'TesTy'
pug root # 
Comment 7 SpanKY gentoo-dev 2004-12-01 21:37:43 UTC
it doesnt make sense for security for PAM to validate the username

besides, why have validation rules in both places ?  let the backend ldap figure out what a 'proper' username is and let the frontend modules handle the return codes
Comment 8 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2004-12-05 20:22:57 UTC
lazar: I repeated my testing for this, and I note that as of openldap-2.1.30 (which is stable on all arches I believe) I cannot make openldap crash at all like this.

Unless you can provide me with a string that still shows it crashing, I'm inclined to just close this bug and forget about it now.
Comment 9 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2005-01-07 03:48:18 UTC
no response from user, and I can't reproduce this.