Tags Tags

Bug#607129: vsftpd should not use grep in checking for group and user

December 14th, 2010 - 04:10 pm ET by Scott Moser | Report spam
Help Create a new topic
Package: vsftpd
Version: 2.3.2-6
Severity: wishlist

vsftpd.postinst does
if ! getent passwd | grep -q "^${_USERNAME}:"
and
elif ! getent group | grep -q "^${_USERNAME}:

the grep could potentiall hit a false positive due to its interpretation
of "${_USERNAME}" as a regular expression. For example, _USERNAME could
be "ftp.user" which would then match "ftp_user" also.

This is mostly an edge case, but a '.' is allowable in unix user names.

The other small benefit of not using grep is avoiding a fork for some
minuscule performance benefit.

Instead of the grep, let 'getent' do the match for you:
- if ! getent passwd | grep -q "^${_USERNAME}:"
+ if ! getent passwd "${_USERNAME}"
and
- elif ! getent group | grep -q "^${_USERNAME}:
+ elif ! getent group "${USERNAME}"

This was brought up under ubuntu bug 629234
(https://bugs.launchpad.net/ubuntu/+...bug/629234)

Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500, 'natty')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.37-8-generic (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash



To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
email Follow the discussionReplies 1 replyReplies Make a reply

Replies

#1 Scott Moser
December 14th, 2010 - 04:30 pm ET | Report spam
diff -Nru vsftpd-2.3.2/debian/changelog vsftpd-2.3.2/debian/changelog
vsftpd-2.3.2/debian/changelog 2010-12-06 07:10:53.000000000 -0500
+++ vsftpd-2.3.2/debian/changelog 2010-12-14 16:16:22.000000000 -0500
@@ -1,3 +1,9 @@
+vsftpd (2.3.2-7) experimental; urgency=low
+
+ * fix small potential issue with adding new user (Closes #607129)
+
+ -- Scott Moser Tue, 14 Dec 2010 16:15:38 -0500
+
vsftpd (2.3.2-6) experimental; urgency=low

* Adding Danish debconf translations from Joe Dalton
diff -Nru vsftpd-2.3.2/debian/vsftpd.postinst vsftpd-2.3.2/debian/vsftpd.postinst
vsftpd-2.3.2/debian/vsftpd.postinst 2010-11-26 11:20:26.000000000 -0500
+++ vsftpd-2.3.2/debian/vsftpd.postinst 2010-12-14 16:17:08.000000000 -0500
@@ -16,10 +16,10 @@

db_stop

- if ! getent passwd | grep -q "^${_USERNAME}:"
+ if ! getent passwd "${_USERNAME}"
then
adduser --system --home ${_DIRECTORY} --no-create-home --quiet --gecos 'ftp daemon' --group ${_USERNAME}
- elif ! getent group | grep -q "^${_USERNAME}:"
+ elif ! getent group "${_USERNAME}"
then
addgroup --system --quiet ${_USERNAME}
gpasswd -a ${_USERNAME} ${_USERNAME}



To UNSUBSCRIBE, email to
with a subject of "unsubscribe". Trouble? Contact

Similar topics

Make your own search :