fedora 24
misc weakness #468

4

Weakness Breakdown


Definition:

The software specifies permissions for a security-critical resource in a way that allows the resource to be read or modified by unintended actors.

Warning code(s):

It's often easy to fool getlogin. Sometimes it does not work at all, because some program messed up the utmp file. Often, it gives only the first 8 characters of the login name. The user currently logged in on the controlling tty of our program need not be the user who started it. Avoid getlogin.

File Name:

dovecot-2.2.31/src/imap-urlauth/imap-urlauth.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 misc weakness.

 
static void imap_urlauth_die(void)
{
	/* do nothing. imap_urlauth connections typically die pretty quick anyway. */
}

static int
client_create_from_input(const char *username, int fd_in, int fd_out)
{
	struct client *client;

	if (client_create(username, fd_in, fd_out,
			  imap_urlauth_settings, &client) < 0)
		return -1;

	if (!IS_STANDALONE())
		client_send_line(client, "OK");
	return 0;
}

static void main_stdio_run(const char *username)
{
	username = username != NULL ? username : getenv("USER");
	if (username == NULL && IS_STANDALONE())
		username = getlogin();
	if (username == NULL)
		i_fatal("USER environment missing");

	(void)client_create_from_input(username, STDIN_FILENO, STDOUT_FILENO);
}

static void
login_client_connected(const struct master_login_client *client,
		       const char *username, const char *const *extra_fields)
{
	const char *msg = "NO\n";
	struct auth_user_reply reply;
	struct net_unix_cred cred;

	auth_user_fields_parse(extra_fields, pool_datastack_create(), &reply);

	/* check peer credentials if possible */
	if (reply.uid != (uid_t)-1 && net_getunixcred(client->fd, &cred) == 0 &&
		reply.uid != cred.uid) {
		i_error("Peer's credentials (uid=%ld) do not match "
			"the user that logged in (uid=%ld).",
			(long)cred.uid, (long)reply.uid);
		if (write(client->fd, msg, strlen(msg)) < 0) {
			/* ignored */
		} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.