Closed alejandro-colomar closed 4 months ago
https://github.com/shadow-maint/shadow/blob/a6eb312f60a5c0e11483ead2fb1635f282da8e59/src/logoutd.c#L208-L214
This seems like it should result in "/dev//dev/whatever".
"/dev//dev/whatever"
Let's assume the first branch happens:
strcpy (tty_name, "/dev/"); strncat(tty_name, ut->ut_line, NITEMS(ut->ut_line));
Which is catenating a prefix of the string with the string itself, thus duplicating the prefix.
I suspect this results in an unconditional failure in the subsequent open(2) call:
https://github.com/shadow-maint/shadow/blob/a6eb312f60a5c0e11483ead2fb1635f282da8e59/src/logoutd.c#L218-L224
Is this daemon highly broken?
Also, who uses this daemon? The only distro that seems to provide it is OpenWRT (AFICS).
@neheb You seem to maintain https://github.com/openwrt/packages/commits/2b7369c323ac232ccb39f0321c5b86053a29b263/utils/shadow/Makefile; can you reproduce this on OpenWRT?
This issue has been there since 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)"), a.k.a., forever.
Ahhh, no, it's != 0. I misread. Sorry. :-)
https://github.com/shadow-maint/shadow/blob/a6eb312f60a5c0e11483ead2fb1635f282da8e59/src/logoutd.c#L208-L214
This seems like it should result in
"/dev//dev/whatever"
.Let's assume the first branch happens:
Which is catenating a prefix of the string with the string itself, thus duplicating the prefix.
I suspect this results in an unconditional failure in the subsequent open(2) call:
https://github.com/shadow-maint/shadow/blob/a6eb312f60a5c0e11483ead2fb1635f282da8e59/src/logoutd.c#L218-L224
Is this daemon highly broken?
Also, who uses this daemon? The only distro that seems to provide it is OpenWRT (AFICS).
@neheb You seem to maintain https://github.com/openwrt/packages/commits/2b7369c323ac232ccb39f0321c5b86053a29b263/utils/shadow/Makefile; can you reproduce this on OpenWRT?
This issue has been there since 45c6603cc86c ("[svn-upgrade] Integrating new upstream version, shadow (19990709)"), a.k.a., forever.