misc/159721: Usernames that are too long get logged onto GUI
console as root
Bjoern A. Zeeb
bz at FreeBSD.org
Fri Aug 12 20:41:43 UTC 2011
On Aug 12, 2011, at 6:03 PM, Oliver Pinter wrote:
Hi,
> On 8/12/11, Robert Auch <rauch at beyondtrust.com> wrote:
>>
>>> Number: 159721
>>> Category: misc
>>> Synopsis: Usernames that are too long get logged onto GUI console as
>>> root
>>> Confidential: no
>>> Severity: critical
>>> Priority: high
>>> Responsible: freebsd-bugs
>>> State: open
>>> Quarter:
>>> Keywords:
>>> Date-Required:
>>> Class: sw-bug
>>> Submitter-Id: current-users
>>> Arrival-Date: Fri Aug 12 17:00:22 UTC 2011
>>> Closed-Date:
>>> Last-Modified:
>>> Originator: Robert Auch
>>> Release: 8.1
>>> Organization:
>> BeyondTrust Software
>>> Environment:
>>> Description:
>> A user with a logon name longer than 8 characters gets logged into FreeBSD
>> as "root" after successful authentication as themselves, when logging in
>> through GDM.
>>
>> This problem cannot be replicated in GDM on Linux, and appears to be related
>> to the 8 character username limit in FreeBSD.
>>
>> [root at freebsd81-64 /usr/home/LAMPI/localuser10]# su LAMPI\\localuser10
>> su: username too long
>>
>> Any users coming from BeyondTrust PBIS or Likewise Open or NIS or LDAP who
>> have usernames longer than 8 characters get blocked logging in via ssh or
>> su, but when authenticating via GDM, they are dropped into the OS as "root"
>> with $EUID=0 and $UID=0.
>>
>> [root at freebsd81-64 /usr/home/LAMPI/localuser10]# id lampi\\localuser10
>> uid=239600760(LAMPI\localuser10) gid=239600129(LAMPI\domain^users)
>> groups=239600129(LAMPI\domain^users),1545(BUILTIN\Users)
>>> How-To-Repeat:
>> Create a user in a shared authentication engine with length($user) > 8.
>> make sure that the user shows up in NSS via "id". Then log in via GDM as the
>> user. Open a terminal and type "id" to see that the user is now "root".
First of all this is a ports issue. I added the maintainer of the port to Cc:.
But could you please follow-up to the PR with the version of gdm you are using.
Checking the port I see quite a few fixes lately:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/x11/gdm/Makefile
If you are on the latest version the port should be marked broken for security
reasons and you should work with the maintainer to get it fixed.
/bz
--
Bjoern A. Zeeb You have to have visions!
Stop bit received. Insert coin for new address family.
More information about the freebsd-gnome
mailing list