During a review of kdenetwork-filesharing [0] for inclusion in openSUSE Tumbleweed , I found an issue with the plugin's input validation of `authhelper`. It accepts arbitrary strings as user names, which are passed verbatim to `pdbedit`, `smbpasswd` and `usermod` respectively. The privileged `authhelper` program does not sanitize user-supplied arguments properly. In particular, AuthHelper::createuser() accepts arbitrary strings as user names. AuthHelper::createuser() calls `['smbpasswd', '-L', '-s', '-D', '0', '-a', user]`, and writes the password to the child's stdin. Some problematic user name arguments are: * `-d`: Disables the Samba account for root. * `-e`: Enables the Samba account for root, if it was intentionally disabled. * `-n`: User root password set to none. Remediation: Validate user names before passing them to the child process. An example validation function can be found in the standard "shadow" package [1]. A simple regular expression `\A[a-z_][a-z0-9_-]*\z` should be sufficient. [0] https://bugzilla.opensuse.org/show_bug.cgi?id=1175633 [1] https://github.com/shadow-maint/shadow/blob/master/libmisc/chkname.c#L58
Thanks for the report.
A possibly relevant merge request was started @ https://invent.kde.org/network/kdenetwork-filesharing/-/merge_requests/17
Git commit 19f000d8f9348f53e33a40a8723e9bbe09474be6 by Harald Sitter. Committed on 08/03/2021 at 10:36. Pushed by sitter into branch 'release/20.12'. run input user/group names through input validation to harden against abuse we'll match them against a regex that should only match what could possibly be a valid user or group name. thanks to Wolfgang Frisch and SUSE for the suggestion FIXED-IN: 20.12.3 M +12 -4 samba/filepropertiesplugin/authhelper.cpp https://invent.kde.org/network/kdenetwork-filesharing/commit/19f000d8f9348f53e33a40a8723e9bbe09474be6