Bug 432757

Summary: kdenetwork-filesharing: AuthHelper does not sanitize command-line arguments
Product: [Frameworks and Libraries] kdenetwork-filesharing Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: generalAssignee: Harald Sitter <sitter>
Status: RESOLVED FIXED    
Severity: normal CC: kfm-devel, nate, rdieter, sitter
Priority: NOR    
Version: unspecified   
Target Milestone: ---   
Platform: Other   
OS: Linux   
Latest Commit: https://invent.kde.org/network/kdenetwork-filesharing/commit/19f000d8f9348f53e33a40a8723e9bbe09474be6 Version Fixed In: 20.12.3
Sentry Crash Report:

Description Wolfgang Frisch 2021-02-10 20:10:08 UTC 
During a review of kdenetwork-filesharing [0] for inclusion in openSUSE Tumbleweed , I found an issue with the plugin's input validation of `authhelper`. It accepts arbitrary strings as user names, which are passed verbatim to `pdbedit`, `smbpasswd` and `usermod` respectively.

The privileged `authhelper` program does not sanitize user-supplied arguments properly. In particular, AuthHelper::createuser() accepts arbitrary strings as user names.

AuthHelper::createuser() calls `['smbpasswd', '-L', '-s', '-D', '0', '-a', user]`, and writes the password to the child's stdin.

Some problematic user name arguments are:

* `-d`: Disables the Samba account for root.
* `-e`: Enables the Samba account for root, if it was intentionally disabled.
* `-n`: User root password set to none.

Remediation:

Validate user names before passing them to the child process. An example validation function can be found in the standard "shadow" package [1]. A simple regular expression `\A[a-z_][a-z0-9_-]*\z` should be sufficient.

[0] https://bugzilla.opensuse.org/show_bug.cgi?id=1175633
[1] https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c#L58
Comment 1 Harald Sitter 2021-02-16 15:36:00 UTC 
Thanks for the report.
Comment 2 Bug Janitor Service 2021-02-16 15:47:01 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/network/kdenetwork-filesharing/-/merge_requests/17
Comment 3 Harald Sitter 2021-03-08 10:36:35 UTC 
Git commit 19f000d8f9348f53e33a40a8723e9bbe09474be6 by Harald Sitter.
Committed on 08/03/2021 at 10:36.
Pushed by sitter into branch 'release/20.12'.

run input user/group names through input validation

to harden against abuse we'll match them against a regex that should
only match what could possibly be a valid user or group name.

thanks to Wolfgang Frisch and SUSE for the suggestion
FIXED-IN: 20.12.3

M  +12   -4    samba/filepropertiesplugin/authhelper.cpp

https://invent.kde.org/network/kdenetwork-filesharing/commit/19f000d8f9348f53e33a40a8723e9bbe09474be6