useradd ignores invalid range specifiers

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

useradd ignores invalid range specifiers

Stefan Filipek
>Synopsis:      useradd ignores invalid range specifiers
>Category:      User
>Environment:
        System      : OpenBSD 6.4
        Details     : OpenBSD 6.4 (GENERIC.MP) #364: Thu Oct 11
13:30:23 MDT 2018

[hidden email]:/usr/src/sys/arch/amd64/compile/GENERIC.MP

        Architecture: OpenBSD.amd64
        Machine     : amd64

>Description:
useradd will ignore invalid range specifiers given on the command line
and (unexpectedly) continue executing with the default UID range.

>How-To-Repeat:
Provide an invalid range specifier when creating a user:
    $ doas ./user add -r 10000-11000 foobar
    user: Bad range `10000-11000'

The user (and group) will still be created, but with the default ID range.

>Fix:
Patch below causes the process to exit during argument parsing:

Index: usr.sbin/user/user.c
===================================================================
RCS file: /cvs/src/usr.sbin/user/user.c,v
retrieving revision 1.123
diff -u -p -u -r1.123 user.c
--- usr.sbin/user/user.c        15 Oct 2018 18:27:27 -0000      1.123
+++ usr.sbin/user/user.c        31 Dec 2018 13:58:43 -0000
@@ -1848,7 +1848,9 @@ useradd(int argc, char **argv)
                        break;
                case 'r':
                        defaultfield = 1;
-                       (void) save_range(&u, optarg);
+                       if (save_range(&u, optarg) == 0) {
+                               errx(EXIT_FAILURE, "Error parsing uid range");
+                       }
                        break;
                case 's':
                        defaultfield = 1;

Reply | Threaded
Open this post in threaded view
|

Re: useradd ignores invalid range specifiers

Todd C. Miller-2
Thanks, I've committed a slightly different fix that only prints
an error message once before exiting.

 - todd