From: Anders Kaseorg <andersk@mit.edu>
Date: Sun, 18 Oct 2009 07:01:45 +0000 (-0400)
Subject: Disallow numeric nonlocal user/group names that look like local uid/gids.
X-Git-Tag: 1.11~5
X-Git-Url: http://andersk.mit.edu/gitweb/nss_nonlocal.git/commitdiff_plain/a07a76165353393309d67a8c8dd64233f5777a87

Disallow numeric nonlocal user/group names that look like local uid/gids.

This prevents nonlocal users and groups from disturbing a command like
‘chown 0:0 file’.

Signed-off-by: Anders Kaseorg <andersk@mit.edu>
---

diff --git a/nonlocal-group.c b/nonlocal-group.c
index af422dd..074fc4e 100644
--- a/nonlocal-group.c
+++ b/nonlocal-group.c
@@ -129,6 +129,19 @@ check_nonlocal_gid(const char *user, gid_t gid, int *errnop)
 enum nss_status
 check_nonlocal_group(const char *user, struct group *grp, int *errnop)
 {
+    enum nss_status status = NSS_STATUS_SUCCESS;
+    int old_errno = errno;
+    char *end;
+    unsigned long gid;
+
+    errno = 0;
+    gid = strtoul(grp->gr_name, &end, 10);
+    if (errno == 0 && *end == '\0' && (gid_t)gid == gid)
+	status = check_nonlocal_gid(user, gid, errnop);
+    errno = old_errno;
+    if (status != NSS_STATUS_SUCCESS)
+	return status;
+
     return check_nonlocal_gid(user, grp->gr_gid, errnop);
 }
 
diff --git a/nonlocal-passwd.c b/nonlocal-passwd.c
index ffd5375..0d71fe3 100644
--- a/nonlocal-passwd.c
+++ b/nonlocal-passwd.c
@@ -127,6 +127,19 @@ check_nonlocal_uid(const char *user, uid_t uid, int *errnop)
 enum nss_status
 check_nonlocal_passwd(const char *user, struct passwd *pwd, int *errnop)
 {
+    enum nss_status status = NSS_STATUS_SUCCESS;
+    int old_errno = errno;
+    char *end;
+    unsigned long uid;
+
+    errno = 0;
+    uid = strtoul(pwd->pw_name, &end, 10);
+    if (errno == 0 && *end == '\0' && (uid_t)uid == uid)
+	status = check_nonlocal_uid(user, uid, errnop);
+    errno = old_errno;
+    if (status != NSS_STATUS_SUCCESS)
+	return status;
+
     return check_nonlocal_uid(user, pwd->pw_uid, errnop);
 }