Go to file
Vito Caputo dc732e7734 su.c: replace getopt with ad-hoc flag processing
In preparation for supporting --exec I was testing the robustness
of "--" handling and it became apparent that things are currently
a bit broken in `su`.

Since "--" is currently of limited utility, as the subsequent
words are simply passed to the shell after "-c","command_string",
it seems to have gone unnoticed for ages.

However, with --exec, it's expected that "--" would be an almost
required separator with every such usage, considering the
following flags must be passed verbatim to execve() and will
likely begin with hyphens looking indistinguishable from any
other flags in lieu of shell interpolation to worry about.

For some practical context of the existing situation, this
invocation doesn't work today:
```
  $ su --command ls -- flags for shell
  No passwd entry for user 'flags'
  $
```

This should just run ls as root with "flags","for","shell"
forwarded to the shell after "-c","ls".

The "--" should block "flags" from being treated as the user.
That particular issue isn't a getopt one per-se, it's arguably
just a bug in su.c's implementation.

It *seemed* like an easy fix for this would be to add a check if
argv[optind-1] were "--" before treating argv[optind] as USER.

But testing that fix revealed getopt was rearranging things when
encountering "--", the "--" would always separate the handled
opts from the unhandled ones.  USER would become shifted to
*after* "--" even when it occurred before it!

If we change the command to specify the user, it works as-is:
```
  $ su --command ls root -- flags for shell
  Password:
  testfile
  $

```

But what's rather surprising is how that works; the argv winds up:

"su","--command","ls","--","root","flags","for","shell"

with optind pointing at "root".

That arrangement of argv is indistinguishable from omitting the
user and having "root","flags","for","shell" as the stuff after
"--".

This makes it non-trivial to fix the bug of omitting user
treating the first word after "--" as the user, which one could
argue is a potentially serious security bug if you omit the user,
expect the command to run as root, and the first word after "--"
is a valid user, and what follows that something valid and
potentially destructive not only running in unintended form but
as whatever user happened to be the first word after "--".

So, it seems like something important to fix, and getopt seems to
be getting in the way of fixing it properly without being more
trouble than replacing getopt.

In disbelief of what I was seeing getopt doing with argv here, I
took a glance at the getopt source and found the following:

```
      /* The special ARGV-element '--' means premature end of options.
	 Skip it like a null option,
	 then exchange with previous non-options as if it were an option,
	 then skip everything else like a non-option.  */

      if (d->optind != argc && !strcmp (argv[d->optind], "--"))
```

I basically never use getopt personally because ages ago it
annoyed me with its terrible API for what little it brought to
the table, and this brings it to a whole new level of awful.
2020-08-27 23:43:25 -05:00
contrib spelling: thanks 2017-10-22 21:24:49 +00:00
doc spelling: moment 2017-10-22 20:39:14 +00:00
docs github pages takes an index.html 2019-06-09 00:02:45 -05:00
etc Add "NONEXISTENT" to "etc/login.defs" 2020-05-11 09:26:04 -04:00
lib Merge pull request #270 from darktemplarbasealt/fix_resource_leak 2020-08-10 20:34:50 -05:00
libmisc Merge pull request #244 from sthibaul/master 2020-04-23 10:56:48 -05:00
libsubid libsubid: fix a prototype in api.h 2020-06-19 22:09:20 -05:00
man Merge pull request #263 from edneville/261_grpck_questionable_warning 2020-08-11 13:58:22 -05:00
po (nl) updated Dutch translation 2020-05-24 15:26:06 +02:00
src su.c: replace getopt with ad-hoc flag processing 2020-08-27 23:43:25 -05:00
tests Create a new libsubid 2020-06-07 12:11:58 -05:00
.gitignore ignore config.cache & dist files 2016-12-05 15:48:10 -05:00
.travis.yml Create a new libsubid 2020-06-07 12:11:58 -05:00
acinclude.m4
autogen.sh Create a new libsubid 2020-06-07 12:11:58 -05:00
ChangeLog configure.ac: release 4.8.1 2020-01-23 14:56:43 -06:00
configure.ac Create a new libsubid 2020-06-07 12:11:58 -05:00
COPYING
Makefile.am Create a new libsubid 2020-06-07 12:11:58 -05:00
NEWS spelling: various 2017-10-22 21:33:42 +00:00
README Update the "README" file 2020-05-11 09:27:01 -04:00
shadow.spec.in
TODO New entry for vipw. 2012-01-15 21:26:56 +00:00

Shadow SITES
============

Homepage
	http://github.com/shadow-maint/shadow

Issue tracker
	http://github.com/shadow-maint/shadow/issues

Releases
	https://github.com/shadow-maint/shadow/releases

Mailing lists
	for general discuss: pkg-shadow-devel@alioth-lists.debian.net
	commit list: pkg-shadow-commits@alioth-lists.debian.net

Mailing lists subscription
	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel
	http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-commits

Mailing lists archives:
	http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/
	http://alioth-lists.debian.net/pipermail/pkg-shadow-commits/

S/Key support:
	Shadow can be built with S/Key support using the S/Key package from:

	http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/
	or
	http://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2

Authors and contributors
========================

Thanks to at least the following people for sending patches, bug
reports and various comments.  This list may be incomplete, I received
a lot of mail...


Adam Rudnicki <adam@v-lo.krakow.pl>
Alan Curry <pacman@tardis.mars.net>
Aleksa Sarai <cyphar@cyphar.com>
Alexander O. Yuriev <alex@bach.cis.temple.edu>
Algis Rudys <arudys@rice.edu>
Andreas Jaeger <aj@arthur.rhein-neckar.de>
Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it>
Anton Gluck <gluc@midway.uchicago.edu>
Arkadiusz Miskiewicz <misiek@pld.org.pl>
Ben Collins <bcollins@debian.org>
Brian R. Gaeke <brg@dgate.org>
Calle Karlsson <ckn@kash.se>
Chip Rosenthal <chip@unicom.com>
Chris Evans <lady0110@sable.ox.ac.uk>
Chris Lamb <chris@chris-lamb.co.uk>
Cristian Gafton <gafton@sorosis.ro>
Dan Walsh <dwalsh@redhat.com>
Darcy Boese <possum@chardonnay.niagara.com>
Dave Hagewood <admin@arrowweb.com>
David A. Holland <dholland@hcs.harvard.edu>
David Frey <David.Frey@lugs.ch>
Ed Carp <ecarp@netcom.com>
Ed Neville <ed@s5h.net>
Eric W. Biederman" <ebiederm@xmission.com>
Floody <flood@evcom.net>
Frank Denis <j@4u.net>
George Kraft IV <gk4@us.ibm.com>
Greg Mortensen <loki@world.std.com>
Guido van Rooij
Guy Maor <maor@debian.org>
Hrvoje Dogan <hdogan@bjesomar.srce.hr>
Jakub Hrozek <jhrozek@redhat.com>
Janos Farkas <chexum@bankinf.banki.hu>
Jason Franklin <jason.franklin@quoininc.com>
Jay Soffian <jay@lw.net>
Jesse Thilo <Jesse.Thilo@pobox.com>
Joey Hess <joey@kite.ml.org>
John Adelsberger <jja@umr.edu>
Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us>
Jon Lewis <jlewis@lewis.org>
Joshua Cowan <jcowan@hermit.reslife.okstate.edu>
Judd Bourgeois <shagboy@bluesky.net>
Juergen Heinzl <unicorn@noris.net>
Juha Virtanen <jiivee@iki.fi>
Julian Pidancet <julian.pidancet@gmail.com>
Julianne Frances Haugh <jockgrrl@ix.netcom.com>
Leonard N. Zubkoff <lnz@dandelion.com>
Luca Berra <bluca@www.polimi.it>
Lukáš Kuklínek <lkukline@redhat.com>
Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de>
Marc Ewing <marc@redhat.com>
Martin Bene <mb@sime.com>
Martin Mares <mj@gts.cz>
Michael Meskes <meskes@topsystem.de>
Michael Talbot-Wilson <mike@calypso.bns.com.au>
Michael Vetter <jubalh@iodoru.org>
Mike Frysinger <vapier@gentoo.org>
Mike Pakovic <mpakovic@users.southeast.net>
Nicolas François <nicolas.francois@centraliens.net>
Nikos Mavroyanopoulos <nmav@i-net.paiko.gr>
Pavel Machek <pavel@bug.ucw.cz>
Peter Vrabec <pvrabec@redhat.com>
Phillip Street
Rafał Maszkowski <rzm@icm.edu.pl>
Rani Chouha <ranibey@smartec.com>
Sami Kerola <kerolasa@rocketmail.com>
Scott Garman <scott.a.garman@intel.com>
Sebastian Rick Rijkers <srrijkers@gmail.com>
Seraphim Mellos <mellos@ceid.upatras.gr>
Shane Watts <shane@nexus.mlckew.edu.au>
Steve M. Robbins <steve@nyongwa.montreal.qc.ca>
Thorsten Kukuk <kukuk@suse.de>
Tim Hockin <thockin@eagle.ais.net>
Timo Karjalainen <timok@iki.fi>
Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es>
Werner Fink <werner@suse.de>

Maintainers
===========

Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007)
Nicolas François <nicolas.francois@centraliens.net> (2007-2014)
Serge E. Hallyn <serge@hallyn.com> (2014-now)
Christian Brauner <christian@brauner.io> (2019-now)