Bug 159721 - x11/gdm: Usernames that are too long get logged onto GUI console as root
Summary: x11/gdm: Usernames that are too long get logged onto GUI console as root
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-gnome (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-08-12 18:00 UTC by Robert Auch
Modified: 2012-01-02 19:30 UTC (History)
0 users

See Also:


Attachments
smime.p7s (5.48 KB, application/pkcs7-signature)
2011-09-12 20:10 UTC, rauch
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Auch 2011-08-12 18:00:22 UTC
A user with a logon name longer than 8 characters gets logged into FreeBSD as "root" after successful authentication as themselves, when logging in through GDM.

This problem cannot be replicated in GDM on Linux, and appears to be related to the 8 character username limit in FreeBSD.

[root@freebsd81-64 /usr/home/LAMPI/localuser10]# su LAMPI\\localuser10
su: username too long

Any users coming from BeyondTrust PBIS or Likewise Open or NIS or LDAP who have usernames longer than 8 characters get blocked logging in via ssh or su, but when authenticating via GDM, they are dropped into the OS as "root" with $EUID=0 and $UID=0.

[root@freebsd81-64 /usr/home/LAMPI/localuser10]# id lampi\\localuser10
uid=239600760(LAMPI\localuser10) gid=239600129(LAMPI\domain^users)
groups=239600129(LAMPI\domain^users),1545(BUILTIN\Users)

How-To-Repeat: Create a user in a shared authentication engine with length($user) > 8.  make sure that the user shows up in NSS via "id". Then log in via GDM as the user.  Open a terminal and type "id" to see that the user is now "root".
Comment 1 Bjoern A. Zeeb freebsd_committer 2011-08-12 21:42:11 UTC
Responsible Changed
From-To: freebsd-bugs->gnome

Please make sure the problem is no longer present in the latest 
version and help the user to deal with the update.  In case the 
problem still exists, I guess gdm should be marked broken for 
security reasons.
Comment 2 Joe Marcus Clarke freebsd_committer 2011-08-14 04:38:10 UTC
State Changed
From-To: open->feedback

Please try http://www.marcuscom.com/downloads/patch-daemon_gdm-session-worker.c 
to see if that fixes this hole.
Comment 3 Koop Mast 2011-09-12 20:06:19 UTC
Any progress on testing this patch? I don't have a setup to test this
patch and I don't think Joe does either. I rather not commit a untested
patch.

-Koop
Comment 4 rauch 2011-09-12 20:10:43 UTC
I'm having a hard time getting my FreeBSD 8.2 build to stay stable long
enough to re-test (vmware maybe the problem?)

--
Robert Auch
BeyondTrust
773-655-6834 (Main)



-----Original Message-----
From: Koop Mast [mailto:kwm@rainbow-runner.nl] 
Sent: Monday, September 12, 2011 2:06 PM
To: bug-followup@FreeBSD.org; rauch@beyondtrust.com
Subject: Re: ports/159721: x11/gdm: Usernames that are too long get logged
onto GUI console as root

Any progress on testing this patch? I don't have a setup to test this patch
and I don't think Joe does either. I rather not commit a untested patch.

-Koop
Comment 5 Joe Marcus Clarke freebsd_committer 2012-01-02 19:21:28 UTC
State Changed
From-To: feedback->closed

I believe this is fixed now.
Comment 6 dfilter service freebsd_committer 2012-01-02 19:21:34 UTC
marcus      2012-01-02 19:21:24 UTC

  FreeBSD ports repository

  Modified files:
    x11/gdm              Makefile 
    x11/gdm/files        patch-daemon_gdm-session-worker.c 
  Log:
  Make sure to exit if there is a problem setting up the desktop session.
  If not, the user would be dropped in as root.
  
  PR:             159721
  
  Revision  Changes    Path
  1.140     +1 -1      ports/x11/gdm/Makefile
  1.6       +9 -8      ports/x11/gdm/files/patch-daemon_gdm-session-worker.c
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"