From owner-freebsd-stable Mon Dec 20 13:24:42 1999 Delivered-To: freebsd-stable@freebsd.org Received: from workhorse.iMach.com (workhorse.iMach.com [206.127.77.89]) by hub.freebsd.org (Postfix) with ESMTP id 685D715281 for ; Mon, 20 Dec 1999 13:24:38 -0800 (PST) (envelope-from forrestc@workhorse.iMach.com) Received: from localhost (forrestc@localhost) by workhorse.iMach.com (8.8.8/8.8.8) with SMTP id OAA20949; Mon, 20 Dec 1999 14:17:08 -0700 (MST) Date: Mon, 20 Dec 1999 14:17:07 -0700 (MST) From: "Forrest W. Christian" To: Peter Jeremy Cc: stable@FreeBSD.ORG Subject: Re: edquota problem In-Reply-To: <99Dec21.070526est.40331@border.alcanet.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Tue, 21 Dec 1999, Peter Jeremy wrote: > >Specifically the code which determines whether the parameter is a username > >or a range of uids only checks for a) whether the first character of the > >parameter is a number and b) whether there is a dash in the parameter. > > This is definitely wrong. Input parameters should be properly checked > for validity. I fully agree. In fact, I was rather shocked to see the code written that way. ESPECIALLY when setting something like: 0plus-num as a username equates to setting uid 0's quota. > IMHO, checking the parameter against the password file first, and > then checking if it's all numeric (or a range) is probably the more > reasonable approach, though this is a more complex fix. This seems the MOST reasonable way to do this. The only gotcha is that there may be a situation where a username exists which matches the uid range you're looking for, such as 10-20 or something like that. However, I figure that is much more rare than a uname starting with a number and having a dash. > >Alternatively, providing a switch to force one way or the other would be > >ok also. > > I don't like this idea. The only thing I would maybe say is if I do (I'm leaning strongly that way) fix the code to look for the uname first, then maybe a switch should be added to FORCE the code to treat the argument as a range of uid's. > It _should_ be fixed. The simpler fix would replace the existing test > and atoi()'s with something like: > > if (isdigit(*argv[0]) && > (startuid = strtol(*argv, &cp, 10)) >= 0 && *cp++ == '-' && > isdigit(*cp) && (enduid = strtol(cp, &cp, 10)) >= 0 && !*cp) { > I'll probably fix the code so that it looks at the argument and determines if it is a valid user, and if not, submits it to the above evaluation for a proper uid range. Any other comments? - Forrest W. Christian (forrestc@imach.com) KD7EHZ ---------------------------------------------------------------------- iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com Solutions for your high-tech problems. (406)-442-6648 ---------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message