Date: Mon, 20 Dec 1999 14:17:07 -0700 (MST) From: "Forrest W. Christian" <forrestc@iMach.com> To: Peter Jeremy <peter.jeremy@alcatel.com.au> Cc: stable@FreeBSD.ORG Subject: Re: edquota problem Message-ID: <Pine.BSF.3.96.991220140952.16460B-100000@workhorse.iMach.com> In-Reply-To: <99Dec21.070526est.40331@border.alcanet.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 21 Dec 1999, Peter Jeremy wrote:
> >Specifically the code which determines whether the parameter is a username
> >or a range of uids only checks for a) whether the first character of the
> >parameter is a number and b) whether there is a dash in the parameter.
>
> This is definitely wrong. Input parameters should be properly checked
> for validity.
I fully agree. In fact, I was rather shocked to see the code written that
way. ESPECIALLY when setting something like:
0plus-num
as a username equates to setting uid 0's quota.
> IMHO, checking the parameter against the password file first, and
> then checking if it's all numeric (or a range) is probably the more
> reasonable approach, though this is a more complex fix.
This seems the MOST reasonable way to do this. The only gotcha is that
there may be a situation where a username exists which matches the uid
range you're looking for, such as 10-20 or something like that. However,
I figure that is much more rare than a uname starting with a number and
having a dash.
> >Alternatively, providing a switch to force one way or the other would be
> >ok also.
>
> I don't like this idea.
The only thing I would maybe say is if I do (I'm leaning strongly that
way) fix the code to look for the uname first, then maybe a switch should
be added to FORCE the code to treat the argument as a range of uid's.
> It _should_ be fixed. The simpler fix would replace the existing test
> and atoi()'s with something like:
>
> if (isdigit(*argv[0]) &&
> (startuid = strtol(*argv, &cp, 10)) >= 0 && *cp++ == '-' &&
> isdigit(*cp) && (enduid = strtol(cp, &cp, 10)) >= 0 && !*cp) {
>
I'll probably fix the code so that it looks at the argument and determines
if it is a valid user, and if not, submits it to the above evaluation for
a proper uid range.
Any other comments?
- Forrest W. Christian (forrestc@imach.com) KD7EHZ
----------------------------------------------------------------------
iMach, Ltd., P.O. Box 5749, Helena, MT 59604 http://www.imach.com
Solutions for your high-tech problems. (406)-442-6648
----------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.991220140952.16460B-100000>