1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
From 980692e6b9cfe4a34e22f566e0981a8c549e4348 Mon Sep 17 00:00:00 2001
From: Matthias Clasen <mclasen@redhat.com>
Date: Fri, 01 Nov 2013 21:09:25 +0000
Subject: Avoid deleting the root user
The check we have in place against deleting the root user can
be tricked by exploiting the fact that we are checking a gint64,
and then later cast it to a uid_t. This can be seen with the
following test, which will delete your root account:
qdbus --system org.freedesktop.Accounts /org/freedesktop/Accounts \
org.freedesktop.Accounts.DeleteUser -9223372036854775808 true
Found with the dfuzzer tool,
https://github.com/matusmarhefka/dfuzzer
---
diff --git a/src/daemon.c b/src/daemon.c
index ea75190..9c7001b 100644
--- a/src/daemon.c
+++ b/src/daemon.c
@@ -1227,7 +1227,7 @@ daemon_uncache_user (AccountsAccounts *accounts,
}
typedef struct {
- gint64 uid;
+ uid_t uid;
gboolean remove_files;
} DeleteUserData;
@@ -1309,13 +1309,13 @@ daemon_delete_user (AccountsAccounts *accounts,
Daemon *daemon = (Daemon*)accounts;
DeleteUserData *data;
- if (uid == 0) {
+ if ((uid_t)uid == 0) {
throw_error (context, ERROR_FAILED, "Refuse to delete root user");
return TRUE;
}
data = g_new0 (DeleteUserData, 1);
- data->uid = uid;
+ data->uid = (uid_t)uid;
data->remove_files = remove_files;
daemon_local_check_auth (daemon,
--
cgit v0.9.0.2-2-gbebe
|