misc/159721: Usernames that are too long get logged onto GUI console as root

Bjoern A. Zeeb bz at FreeBSD.org
Fri Aug 12 20:41:43 UTC 2011 

On Aug 12, 2011, at 6:03 PM, Oliver Pinter wrote:

Hi,

> On 8/12/11, Robert Auch <rauch at beyondtrust.com> wrote:
>> 
>>> Number:         159721
>>> Category:       misc
>>> Synopsis:       Usernames that are too long get logged onto GUI console as
>>> root
>>> Confidential:   no
>>> Severity:       critical
>>> Priority:       high
>>> Responsible:    freebsd-bugs
>>> State:          open
>>> Quarter:
>>> Keywords:
>>> Date-Required:
>>> Class:          sw-bug
>>> Submitter-Id:   current-users
>>> Arrival-Date:   Fri Aug 12 17:00:22 UTC 2011
>>> Closed-Date:
>>> Last-Modified:
>>> Originator:     Robert Auch
>>> Release:        8.1
>>> Organization:
>> BeyondTrust Software
>>> Environment:
>>> Description:
>> A user with a logon name longer than 8 characters gets logged into FreeBSD
>> as "root" after successful authentication as themselves, when logging in
>> through GDM.
>> 
>> This problem cannot be replicated in GDM on Linux, and appears to be related
>> to the 8 character username limit in FreeBSD.
>> 
>> [root at freebsd81-64 /usr/home/LAMPI/localuser10]# su LAMPI\\localuser10
>> su: username too long
>> 
>> Any users coming from BeyondTrust PBIS or Likewise Open or NIS or LDAP who
>> have usernames longer than 8 characters get blocked logging in via ssh or
>> su, but when authenticating via GDM, they are dropped into the OS as "root"
>> with $EUID=0 and $UID=0.
>> 
>> [root at freebsd81-64 /usr/home/LAMPI/localuser10]# id lampi\\localuser10
>> uid=239600760(LAMPI\localuser10) gid=239600129(LAMPI\domain^users)
>> groups=239600129(LAMPI\domain^users),1545(BUILTIN\Users)
>>> How-To-Repeat:
>> Create a user in a shared authentication engine with length($user) > 8.
>> make sure that the user shows up in NSS via "id". Then log in via GDM as the
>> user.  Open a terminal and type "id" to see that the user is now "root".

First of all this is a ports issue. I added the maintainer of the port to Cc:.

But could you please follow-up to the  PR with the version of gdm you are using.
Checking the port I see quite a few fixes lately:
http://www.freebsd.org/cgi/cvsweb.cgi/ports/x11/gdm/Makefile

If you are on the latest version the port should be marked broken for security
reasons and you should work with the maintainer to get it fixed.

/bz

-- 
Bjoern A. Zeeb                                 You have to have visions!
         Stop bit received. Insert coin for new address family.

More information about the freebsd-gnome mailing list