Application trying to do getpwnam() on bad username (ie, too long username, or with invalid chars) causes OpenLDAP to crash. This might be an failure of OpenLDAP search function, but nss_ldap *must* validate username before passing it to LDAP backend. Reproducible: Always Steps to Reproduce: 1. do # id "$(dd if=/dev/urandom bs=100 count=1)" on a system using nss_ldap with OpenLDAP. Actual Results: OpenLDAP crashed and had to be restarted. Expected Results: nss_ldap should never pass invalid username to OpenLDAP.
Created attachment 39190 [details, diff] This is a patch for nss_ldap to validate usernames before passing to OpenLDAP. Function is_valid_username() taken from popa3d. PADL team has been notified, but it seems that they haven't reacted yet. This is a patch for 220 version of nss_ldap, but it works with 213 and later.
that is_valid_username() function is not correct, for several reasons: the standard unix character set for usernames is: [-.$_abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] [a-z] does NOT expand to all 26 characters in some locales. This has caused lots of problems for those locales. See http://bugs.gentoo.org/show_bug.cgi?id=17051#c20 for this history of this. However I'm also aware of sites that use UTF8 for usernames, as they usernames with hirigana glyphs, so this problem is much harder. A proper validation function is needed for usernames here. p.s. are the nssldap folk aware of this bug? if not, please point them here.
Shouldn't PAM itself take care of this? Ie, shouldn't PAM validate user names *before* passing it to the individual pam modules?
I think the system should be validating usernames before passing them on to nss/pam modules....
why ? you can easily break openldap by using some other communication method than nss_ldap i say fix openldap rather than trying to figure out what is valid in the upper layers
How about fixing both - yes OpenLDAP should not crash, no matter what (same principle as the kernel or X or any other service for that matter - no matter what you throw at it, it should not break). However, PAM should also validate usernames before passing them onto PAM modules, that just makes sense, both for efficiency and security - you can't control who is going to write their own PAM modules and possibly screw up. btw, useradd has been complaining off lately about uppercase usernames - are uppercases still allowed? pug root # useradd TesTy useradd: invalid user name 'TesTy' pug root #
it doesnt make sense for security for PAM to validate the username besides, why have validation rules in both places ? let the backend ldap figure out what a 'proper' username is and let the frontend modules handle the return codes
lazar: I repeated my testing for this, and I note that as of openldap-2.1.30 (which is stable on all arches I believe) I cannot make openldap crash at all like this. Unless you can provide me with a string that still shows it crashing, I'm inclined to just close this bug and forget about it now.
no response from user, and I can't reproduce this.