Date: Fri, 12 Aug 2011 20:41:36 +0000 From: "Bjoern A. Zeeb" <bz@FreeBSD.org> To: Robert Auch <rauch@beyondtrust.com> Cc: gnome@FreeBSD.org Subject: Re: misc/159721: Usernames that are too long get logged onto GUI console as root Message-ID: <492CA9C5-9681-48F1-92ED-C5246B457DDB@FreeBSD.org> In-Reply-To: <CAPjTQNFpY9ZiC39t0RM_Ea-N-gs6SGkLVZm=ODmD0zNLrN%2BBpQ@mail.gmail.com> References: <201108121653.p7CGr4Oo045140@red.freebsd.org> <CAPjTQNFpY9ZiC39t0RM_Ea-N-gs6SGkLVZm=ODmD0zNLrN%2BBpQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Aug 12, 2011, at 6:03 PM, Oliver Pinter wrote: Hi, > On 8/12/11, Robert Auch <rauch@beyondtrust.com> wrote: >>=20 >>> Number: 159721 >>> Category: misc >>> Synopsis: Usernames that are too long get logged onto GUI = console as >>> root >>> Confidential: no >>> Severity: critical >>> Priority: high >>> Responsible: freebsd-bugs >>> State: open >>> Quarter: >>> Keywords: >>> Date-Required: >>> Class: sw-bug >>> Submitter-Id: current-users >>> Arrival-Date: Fri Aug 12 17:00:22 UTC 2011 >>> Closed-Date: >>> Last-Modified: >>> Originator: Robert Auch >>> Release: 8.1 >>> Organization: >> BeyondTrust Software >>> Environment: >>> Description: >> A user with a logon name longer than 8 characters gets logged into = FreeBSD >> as "root" after successful authentication as themselves, when logging = in >> through GDM. >>=20 >> This problem cannot be replicated in GDM on Linux, and appears to be = related >> to the 8 character username limit in FreeBSD. >>=20 >> [root@freebsd81-64 /usr/home/LAMPI/localuser10]# su = LAMPI\\localuser10 >> su: username too long >>=20 >> Any users coming from BeyondTrust PBIS or Likewise Open or NIS or = LDAP who >> have usernames longer than 8 characters get blocked logging in via = ssh or >> su, but when authenticating via GDM, they are dropped into the OS as = "root" >> with $EUID=3D0 and $UID=3D0. >>=20 >> [root@freebsd81-64 /usr/home/LAMPI/localuser10]# id = lampi\\localuser10 >> uid=3D239600760(LAMPI\localuser10) gid=3D239600129(LAMPI\domain^users) >> groups=3D239600129(LAMPI\domain^users),1545(BUILTIN\Users) >>> How-To-Repeat: >> Create a user in a shared authentication engine with length($user) > = 8. >> make sure that the user shows up in NSS via "id". Then log in via GDM = as the >> user. Open a terminal and type "id" to see that the user is now = "root". First of all this is a ports issue. I added the maintainer of the port = to Cc:. But could you please follow-up to the PR with the version of gdm you = are using. Checking the port I see quite a few fixes lately: http://www.freebsd.org/cgi/cvsweb.cgi/ports/x11/gdm/Makefile If you are on the latest version the port should be marked broken for = security reasons and you should work with the maintainer to get it fixed. /bz --=20 Bjoern A. Zeeb You have to have visions! Stop bit received. Insert coin for new address family.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?492CA9C5-9681-48F1-92ED-C5246B457DDB>