Bug#992058: opensysusers: uses `eval` on data that is not supposed to be safe to eval
Package: opensysusers
Version: 0.6-2
Severity: serious
Tags: security upstream
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
opensysusers uses the shell's `eval` on everything in sysusers.d like
there is no tomorrow. These files can contain shell meta-characters
that should not result in code execution, e.g., in the GECOS field.
+---
| # mkdir /etc/sysusers.d
| # echo 'u test-user - "Do not $(rm /etc/bash.bashrc)" /var/lib/test-users /bin/sh' > /etc/sysusers.d/test.conf
| # ls -l /etc/bash.bashrc
| -rw-r--r-- 1 root root 1994 Jun 22 02:26 /etc/bash.bashrc
| # systemd-sysusers # this is opensysusers
| # ls -l /etc/bash*
| ls: cannot access '/etc/bash*': No such file or directory
+---[ opensysusers 0.6-2 ]
systemd's systemd-sysuser behaves differently:
+---
| # mkdir /etc/sysusers.d
| # echo 'u test-user - "Do not $(rm /etc/bash.bashrc)" /var/lib/test-users /bin/sh' > /etc/sysusers.d/test.conf
| # ls -l /etc/bash.bashrc
| -rw-r--r-- 1 root root 1994 Jun 22 02:26 /etc/bash.bashrc
| # systemd-sysusers
| Creating group systemd-coredump with gid 999.
| Creating user systemd-coredump (systemd Core Dumper) with uid 999 and gid 999.
| Creating group test-user with gid 998.
| Creating user test-user (Do not $(rm /etc/bash.bashrc)) with uid 998 and gid 998.
| # ls -l /etc/bash.bashrc
| -rw-r--r-- 1 root root 1994 Jun 22 02:26 /etc/bash.bashrc
| # getent passwd test-user
| test-user:x:998:998:Do not $(rm /etc/bash.bashrc):/var/lib/test-users:/bin/sh
+---[ systemd 247.3-6 ]
As opensysusers is supposed to be a drop-in requirement for
systemd-sysusers it *must* behave as systemd does and not execute
data.
Ansgar
Reply to: