A user with a logon name longer than 8 characters gets logged into FreeBSD as "root" after successful authentication as themselves, when logging in through GDM. This problem cannot be replicated in GDM on Linux, and appears to be related to the 8 character username limit in FreeBSD. [root@freebsd81-64 /usr/home/LAMPI/localuser10]# su LAMPI\\localuser10 su: username too long Any users coming from BeyondTrust PBIS or Likewise Open or NIS or LDAP who have usernames longer than 8 characters get blocked logging in via ssh or su, but when authenticating via GDM, they are dropped into the OS as "root" with $EUID=0 and $UID=0. [root@freebsd81-64 /usr/home/LAMPI/localuser10]# id lampi\\localuser10 uid=239600760(LAMPI\localuser10) gid=239600129(LAMPI\domain^users) groups=239600129(LAMPI\domain^users),1545(BUILTIN\Users) How-To-Repeat: Create a user in a shared authentication engine with length($user) > 8. make sure that the user shows up in NSS via "id". Then log in via GDM as the user. Open a terminal and type "id" to see that the user is now "root".
Responsible Changed From-To: freebsd-bugs->gnome Please make sure the problem is no longer present in the latest version and help the user to deal with the update. In case the problem still exists, I guess gdm should be marked broken for security reasons.
State Changed From-To: open->feedback Please try http://www.marcuscom.com/downloads/patch-daemon_gdm-session-worker.c to see if that fixes this hole.
Any progress on testing this patch? I don't have a setup to test this patch and I don't think Joe does either. I rather not commit a untested patch. -Koop
I'm having a hard time getting my FreeBSD 8.2 build to stay stable long enough to re-test (vmware maybe the problem?) -- Robert Auch BeyondTrust 773-655-6834 (Main) -----Original Message----- From: Koop Mast [mailto:kwm@rainbow-runner.nl] Sent: Monday, September 12, 2011 2:06 PM To: bug-followup@FreeBSD.org; rauch@beyondtrust.com Subject: Re: ports/159721: x11/gdm: Usernames that are too long get logged onto GUI console as root Any progress on testing this patch? I don't have a setup to test this patch and I don't think Joe does either. I rather not commit a untested patch. -Koop
State Changed From-To: feedback->closed I believe this is fixed now.
marcus 2012-01-02 19:21:24 UTC FreeBSD ports repository Modified files: x11/gdm Makefile x11/gdm/files patch-daemon_gdm-session-worker.c Log: Make sure to exit if there is a problem setting up the desktop session. If not, the user would be dropped in as root. PR: 159721 Revision Changes Path 1.140 +1 -1 ports/x11/gdm/Makefile 1.6 +9 -8 ports/x11/gdm/files/patch-daemon_gdm-session-worker.c _______________________________________________ cvs-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/cvs-all To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"