Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Oct 2021 00:38:21 +0000
From: "(GalaxyMaster)" <>
Subject: Re: get/set*ent functions and real world applications


On Mon, Oct 11, 2021 at 02:18:47PM -0300, ??rico Nogueira wrote:
> On Mon Oct 11, 2021 at 10:32 AM -03, (GalaxyMaster) wrote:
> >
> > The whole parssing of password and group entires is quite "dumb", in
> > terms that
> > it always expects perfectly valid input and produces always correct
> > output, but
> > I would argue that these functions should be a bit smarter and should
> > not make
> > assumptions about the validity of the input, i.e treat it as untrusted
> > user
> > input.
> There's a reason it's recommended that one only make changes to these
> files using tools like the ones from the shadow suite. Things in /etc
> can, theoretically, only be written to by root or at least trusted
> users, so treating as entirely untrusted seems a bit over the top...

Well, I prefer to treat anything external to my application as untrusted input,
this saves time on troubleshooting weird issues later.  In your statement
above you put implicit trust into these abstract "trusted users", why guess
what these could or could not do if we can handle the input in a safe and
deterministic way?  There was an argument on this list that libc should not
treat/hide developer's mistakes and that's the reason you may see segfaults
on a musl-based system more often (it is less forgiving to the poorly written
code).  Hoowever, I would argue that this particular case requires special
treatment from libc since there is no way avoiding these functions if you
are working with passwd/group based files.

> It seems like both libraries are inconsistent in their own ways. glibc
> skips malformed entries when some fields are missing, but fixes a
> missing supplemental group entry. musl skips a missing supplemental
> group entry, but "fixes" malformed entries with fields missing.
> Maybe striving for consistency by either always skipping or always
> fixing entries seems like a more reasonable choice to me, maybe?

I am not defending Glibc, but I find their approach to this matter consistent
and expected from the common sense point of view.  I would rather see musl
aligned with it than try to convince everyone of yet another way of doing this.

> > With put*() functions the situation a bit better, but still could be
> > improved to achieve better compatibility. putpwent() will output
> > '(null)' for any NULL pointer passed for the string arguments (due to
> > direct call to fprintf() and the UB for that situation), while Glibc
> > would output an empty string instead.
> It would seem the function returns EINVAL instead of outputting anything
> at all, from my look at the code. I think that's reasonable behavior for
> musl to implement, given how badly specified the function is.

No, it is not behaving like that, it behaves exactly as I described:
galaxy@...l:~/musl-tests $ cat test-putpwent.c 
#include <sys/types.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>

int main() {
	struct passwd *pw;
	FILE *fp;
	errno = 0;
	fp = fopen("test-putpwent.output", "w");
	if (!fp || errno != 0) return errno;
	pw = malloc(sizeof(struct passwd));
	pw->pw_name = pw->pw_passwd = pw->pw_gecos = pw->pw_dir, pw->pw_shell = NULL;
	putpwent(pw, fp);
	return 0;
galaxy@...l:~/musl-tests $ ls -ld test-putpwent.output
ls: cannot access 'test-putpwent.output': No such file or directory
galaxy@...l:~/musl-tests $ ./test-putpwent 
galaxy@...l:~/musl-tests $ cat test-putpwent.output 
galaxy@...l:~/musl-tests $

On a Glibc system, the putpwent() call with pw->pw_name being NULL will fail to
produce a record.  If the pw->pw_name field is not NULL, then it will produce a
record with the name followed by empty string fields, like "user::0:0:::",
which is more expected in my opinion.

> > Moreover, putpwent() is inconsistent with putgrent() -- the latter
> > locks the file before writing and unlocks afterwards, while the former
> > is just going ahead with fprintf(). I know these funnctions are thread
> > unsafe, but this lack of locking makes putpwent() plainly dangerous on
> > a multiuser system.
> I'm pretty sure these functions are always dangerous on multiuser
> systems; flockfile(3) is FILE level locking, it just protects from other
> threads touching a given FILE object. If you want to protect yourself
> from multiple programs handling the file simultaneously, you need file
> locking, such as done with fcntl(2).

A fair point, I was not familiar with that function and somehow thought it was at
the file level.  I think that it is not libc's job to do file lockingi here, so I
think we are fine in this regard.  Thank you for explaining why there
is an inconsistency, between putpwent() and putgrent() -- it makes sense.


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.