dc732e7734
In preparation for supporting --exec I was testing the robustness of "--" handling and it became apparent that things are currently a bit broken in `su`. Since "--" is currently of limited utility, as the subsequent words are simply passed to the shell after "-c","command_string", it seems to have gone unnoticed for ages. However, with --exec, it's expected that "--" would be an almost required separator with every such usage, considering the following flags must be passed verbatim to execve() and will likely begin with hyphens looking indistinguishable from any other flags in lieu of shell interpolation to worry about. For some practical context of the existing situation, this invocation doesn't work today: ``` $ su --command ls -- flags for shell No passwd entry for user 'flags' $ ``` This should just run ls as root with "flags","for","shell" forwarded to the shell after "-c","ls". The "--" should block "flags" from being treated as the user. That particular issue isn't a getopt one per-se, it's arguably just a bug in su.c's implementation. It *seemed* like an easy fix for this would be to add a check if argv[optind-1] were "--" before treating argv[optind] as USER. But testing that fix revealed getopt was rearranging things when encountering "--", the "--" would always separate the handled opts from the unhandled ones. USER would become shifted to *after* "--" even when it occurred before it! If we change the command to specify the user, it works as-is: ``` $ su --command ls root -- flags for shell Password: testfile $ ``` But what's rather surprising is how that works; the argv winds up: "su","--command","ls","--","root","flags","for","shell" with optind pointing at "root". That arrangement of argv is indistinguishable from omitting the user and having "root","flags","for","shell" as the stuff after "--". This makes it non-trivial to fix the bug of omitting user treating the first word after "--" as the user, which one could argue is a potentially serious security bug if you omit the user, expect the command to run as root, and the first word after "--" is a valid user, and what follows that something valid and potentially destructive not only running in unintended form but as whatever user happened to be the first word after "--". So, it seems like something important to fix, and getopt seems to be getting in the way of fixing it properly without being more trouble than replacing getopt. In disbelief of what I was seeing getopt doing with argv here, I took a glance at the getopt source and found the following: ``` /* The special ARGV-element '--' means premature end of options. Skip it like a null option, then exchange with previous non-options as if it were an option, then skip everything else like a non-option. */ if (d->optind != argc && !strcmp (argv[d->optind], "--")) ``` I basically never use getopt personally because ages ago it annoyed me with its terrible API for what little it brought to the table, and this brings it to a whole new level of awful. |
||
---|---|---|
contrib | ||
doc | ||
docs | ||
etc | ||
lib | ||
libmisc | ||
libsubid | ||
man | ||
po | ||
src | ||
tests | ||
.gitignore | ||
.travis.yml | ||
acinclude.m4 | ||
autogen.sh | ||
ChangeLog | ||
configure.ac | ||
COPYING | ||
Makefile.am | ||
NEWS | ||
README | ||
shadow.spec.in | ||
TODO |
Shadow SITES ============ Homepage http://github.com/shadow-maint/shadow Issue tracker http://github.com/shadow-maint/shadow/issues Releases https://github.com/shadow-maint/shadow/releases Mailing lists for general discuss: pkg-shadow-devel@alioth-lists.debian.net commit list: pkg-shadow-commits@alioth-lists.debian.net Mailing lists subscription http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-devel http://alioth-lists.debian.net/mailman/listinfo/pkg-shadow-commits Mailing lists archives: http://alioth-lists.debian.net/pipermail/pkg-shadow-devel/ http://alioth-lists.debian.net/pipermail/pkg-shadow-commits/ S/Key support: Shadow can be built with S/Key support using the S/Key package from: http://cvsweb.netbsd.org/bsdweb.cgi/src/lib/libskey/ or http://gentoo.osuosl.org/distfiles/skey-1.1.5.tar.bz2 Authors and contributors ======================== Thanks to at least the following people for sending patches, bug reports and various comments. This list may be incomplete, I received a lot of mail... Adam Rudnicki <adam@v-lo.krakow.pl> Alan Curry <pacman@tardis.mars.net> Aleksa Sarai <cyphar@cyphar.com> Alexander O. Yuriev <alex@bach.cis.temple.edu> Algis Rudys <arudys@rice.edu> Andreas Jaeger <aj@arthur.rhein-neckar.de> Aniello Del Sorbo <anidel@edu-gw.dia.unisa.it> Anton Gluck <gluc@midway.uchicago.edu> Arkadiusz Miskiewicz <misiek@pld.org.pl> Ben Collins <bcollins@debian.org> Brian R. Gaeke <brg@dgate.org> Calle Karlsson <ckn@kash.se> Chip Rosenthal <chip@unicom.com> Chris Evans <lady0110@sable.ox.ac.uk> Chris Lamb <chris@chris-lamb.co.uk> Cristian Gafton <gafton@sorosis.ro> Dan Walsh <dwalsh@redhat.com> Darcy Boese <possum@chardonnay.niagara.com> Dave Hagewood <admin@arrowweb.com> David A. Holland <dholland@hcs.harvard.edu> David Frey <David.Frey@lugs.ch> Ed Carp <ecarp@netcom.com> Ed Neville <ed@s5h.net> Eric W. Biederman" <ebiederm@xmission.com> Floody <flood@evcom.net> Frank Denis <j@4u.net> George Kraft IV <gk4@us.ibm.com> Greg Mortensen <loki@world.std.com> Guido van Rooij Guy Maor <maor@debian.org> Hrvoje Dogan <hdogan@bjesomar.srce.hr> Jakub Hrozek <jhrozek@redhat.com> Janos Farkas <chexum@bankinf.banki.hu> Jason Franklin <jason.franklin@quoininc.com> Jay Soffian <jay@lw.net> Jesse Thilo <Jesse.Thilo@pobox.com> Joey Hess <joey@kite.ml.org> John Adelsberger <jja@umr.edu> Jonathan Hankins <jhankins@mailserv.homewood.k12.al.us> Jon Lewis <jlewis@lewis.org> Joshua Cowan <jcowan@hermit.reslife.okstate.edu> Judd Bourgeois <shagboy@bluesky.net> Juergen Heinzl <unicorn@noris.net> Juha Virtanen <jiivee@iki.fi> Julian Pidancet <julian.pidancet@gmail.com> Julianne Frances Haugh <jockgrrl@ix.netcom.com> Leonard N. Zubkoff <lnz@dandelion.com> Luca Berra <bluca@www.polimi.it> Lukáš Kuklínek <lkukline@redhat.com> Lutz Schwalowsky <schwalow@mineralogie.uni-hamburg.de> Marc Ewing <marc@redhat.com> Martin Bene <mb@sime.com> Martin Mares <mj@gts.cz> Michael Meskes <meskes@topsystem.de> Michael Talbot-Wilson <mike@calypso.bns.com.au> Michael Vetter <jubalh@iodoru.org> Mike Frysinger <vapier@gentoo.org> Mike Pakovic <mpakovic@users.southeast.net> Nicolas François <nicolas.francois@centraliens.net> Nikos Mavroyanopoulos <nmav@i-net.paiko.gr> Pavel Machek <pavel@bug.ucw.cz> Peter Vrabec <pvrabec@redhat.com> Phillip Street Rafał Maszkowski <rzm@icm.edu.pl> Rani Chouha <ranibey@smartec.com> Sami Kerola <kerolasa@rocketmail.com> Scott Garman <scott.a.garman@intel.com> Sebastian Rick Rijkers <srrijkers@gmail.com> Seraphim Mellos <mellos@ceid.upatras.gr> Shane Watts <shane@nexus.mlckew.edu.au> Steve M. Robbins <steve@nyongwa.montreal.qc.ca> Thorsten Kukuk <kukuk@suse.de> Tim Hockin <thockin@eagle.ais.net> Timo Karjalainen <timok@iki.fi> Ulisses Alonso Camaro <ulisses@pusa.eleinf.uv.es> Werner Fink <werner@suse.de> Maintainers =========== Tomasz Kłoczko <kloczek@pld.org.pl> (2000-2007) Nicolas François <nicolas.francois@centraliens.net> (2007-2014) Serge E. Hallyn <serge@hallyn.com> (2014-now) Christian Brauner <christian@brauner.io> (2019-now)