Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Oct 2021 12:58:43 -0300
From: Érico Nogueira <ericonr@...root.org>
To: <musl@...ts.openwall.com>
Subject: Re: get/set*ent functions and real world applications

On Mon Oct 11, 2021 at 9:38 PM -03, (GalaxyMaster) wrote:
> Enrico,
>
> On Mon, Oct 11, 2021 at 02:18:47PM -0300, ??rico Nogueira wrote:
> > On Mon Oct 11, 2021 at 10:32 AM -03, (GalaxyMaster) wrote:
> > >
> > > The whole parssing of password and group entires is quite "dumb", in
> > > terms that
> > > it always expects perfectly valid input and produces always correct
> > > output, but
> > > I would argue that these functions should be a bit smarter and should
> > > not make
> > > assumptions about the validity of the input, i.e treat it as untrusted
> > > user
> > > input.
> > 
> > There's a reason it's recommended that one only make changes to these
> > files using tools like the ones from the shadow suite. Things in /etc
> > can, theoretically, only be written to by root or at least trusted
> > users, so treating as entirely untrusted seems a bit over the top...
>
> Well, I prefer to treat anything external to my application as untrusted
> input,
> this saves time on troubleshooting weird issues later. In your statement
> above you put implicit trust into these abstract "trusted users", why
> guess
> what these could or could not do if we can handle the input in a safe
> and
> deterministic way? There was an argument on this list that libc should
> not
> treat/hide developer's mistakes and that's the reason you may see
> segfaults
> on a musl-based system more often (it is less forgiving to the poorly
> written
> code). Hoowever, I would argue that this particular case requires
> special
> treatment from libc since there is no way avoiding these functions if
> you
> are working with passwd/group based files.

It is untrusted input in that it shouldn't cause segfaults or other UB
when it's misconfigured, but expecting applications to treat
misconfigured entries the same way when you have applications using libc
functions, Go standard library ones, probably some Rust application
doing their own thing, means that the files really should be handled
with care. Most systems will have *some* application treating
misconfigured files in unexpected ways. However, this is not an argument
for not fixing musl, as I said right below the part you quoted:

	 That said, erroring out/skipping such entries sounds reasonable
	 either way.

>
> > It seems like both libraries are inconsistent in their own ways. glibc
> > skips malformed entries when some fields are missing, but fixes a
> > missing supplemental group entry. musl skips a missing supplemental
> > group entry, but "fixes" malformed entries with fields missing.
> > 
> > Maybe striving for consistency by either always skipping or always
> > fixing entries seems like a more reasonable choice to me, maybe?
>
> I am not defending Glibc, but I find their approach to this matter
> consistent
> and expected from the common sense point of view. I would rather see
> musl
> aligned with it than try to convince everyone of yet another way of
> doing this.

That's a fair point.

>
> > > With put*() functions the situation a bit better, but still could be
> > > improved to achieve better compatibility. putpwent() will output
> > > '(null)' for any NULL pointer passed for the string arguments (due to
> > > direct call to fprintf() and the UB for that situation), while Glibc
> > > would output an empty string instead.
> > 
> > It would seem the function returns EINVAL instead of outputting anything
> > at all, from my look at the code. I think that's reasonable behavior for
> > musl to implement, given how badly specified the function is.
>
> No, it is not behaving like that, it behaves exactly as I described:
> ===
> galaxy@...l:~/musl-tests $ cat test-putpwent.c
> #include <sys/types.h>
> #include <pwd.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <errno.h>
>
> int main() {
> struct passwd *pw;
> FILE *fp;
> errno = 0;
> fp = fopen("test-putpwent.output", "w");
> if (!fp || errno != 0) return errno;
> pw = malloc(sizeof(struct passwd));
> pw->pw_name = pw->pw_passwd = pw->pw_gecos = pw->pw_dir, pw->pw_shell =
> NULL;
> putpwent(pw, fp);
> fclose(fp);
> return 0;
> }
> galaxy@...l:~/musl-tests $ ls -ld test-putpwent.output
> ls: cannot access 'test-putpwent.output': No such file or directory
> galaxy@...l:~/musl-tests $ ./test-putpwent
> galaxy@...l:~/musl-tests $ cat test-putpwent.output
> (null):(null):0:0:(null):(null):(null)
> galaxy@...l:~/musl-tests $
> ===
>
> On a Glibc system, the putpwent() call with pw->pw_name being NULL will
> fail to
> produce a record. If the pw->pw_name field is not NULL, then it will
> produce a
> record with the name followed by empty string fields, like
> "user::0:0:::",
> which is more expected in my opinion.

Sorry, I wasn't clear. I was talking about glibc's implementation:

  if (p == NULL || stream == NULL
      || p->pw_name == NULL || !__nss_valid_field (p->pw_name)
      || !__nss_valid_field (p->pw_passwd)
      || !__nss_valid_field (p->pw_dir)
      || !__nss_valid_field (p->pw_shell))
    {
      __set_errno (EINVAL);
      return -1;
    }

It requires that all of pw_name, pw_passwd, pw_dir and pw_shell be non
null and only contain valid characters (that's what __nss_valid_field
checks for, and it seems they are checking for pw_name==NULL twice, so I
will see about sending a patch their way).

So, requiring some specific fields is compatible with glibc's impl, and
then for the other fields we should take care to print an empty string
instead of "(null)". I think that's a pretty valid change to implement.

>
> > > Moreover, putpwent() is inconsistent with putgrent() -- the latter
> > > locks the file before writing and unlocks afterwards, while the former
> > > is just going ahead with fprintf(). I know these funnctions are thread
> > > unsafe, but this lack of locking makes putpwent() plainly dangerous on
> > > a multiuser system.
> > 
> > I'm pretty sure these functions are always dangerous on multiuser
> > systems; flockfile(3) is FILE level locking, it just protects from other
> > threads touching a given FILE object. If you want to protect yourself
> > from multiple programs handling the file simultaneously, you need file
> > locking, such as done with fcntl(2).
>
> A fair point, I was not familiar with that function and somehow thought
> it was at
> the file level. I think that it is not libc's job to do file lockingi
> here, so I
> think we are fine in this regard. Thank you for explaining why there
> is an inconsistency, between putpwent() and putgrent() -- it makes
> sense.

No worries :)

>
> --
> (GM)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.