Ensure proper permission handling when overshadowing unix user/group names, and groups with _ #51

Open
opened 2024-08-17 15:32:29 +02:00 by oysteikt · 2 comments
Owner

Take the following case: On the system there are 2 users usera and userb. usera is part of group1, and userb is part of group1_2.

In the current implementation, usera would be able to create a database group1_2_asdf, even though they are not part of group1_2, and I'm not even sure what the logic is for userb, considering the names are split on _. Should we just outright ban groups with _?

Take the following case: On the system there are 2 users `usera` and `userb`. `usera` is part of `group1`, and `userb` is part of `group1_2`. In the current implementation, `usera` would be able to create a database `group1_2_asdf`, even though they are not part of `group1_2`, and I'm not even sure what the logic is for `userb`, considering the names are split on `_`. Should we just outright ban groups with `_`?
oysteikt added this to the Initial release milestone 2024-08-17 15:32:29 +02:00
oysteikt added the
bug
security
labels 2024-08-17 15:32:29 +02:00
Author
Owner

Relevant piece of code:

/// Core logic for validating the ownership of a database name.
/// This function checks if the given name matches any of the given prefixes.
/// These prefixes will in most cases be the user's unix username and any
/// unix groups the user is a member of.
pub fn validate_ownership_by_prefixes(
name: &str,
prefixes: &[String],
) -> Result<(), OwnerValidationError> {
if name.is_empty() {
return Err(OwnerValidationError::StringEmpty);
}
if name.starts_with('_') {
return Err(OwnerValidationError::MissingPrefix);
}
let (prefix, _) = match name.split_once('_') {
Some(pair) => pair,
None => return Err(OwnerValidationError::MissingPostfix),
};
if !prefixes.iter().any(|g| g == prefix) {
return Err(OwnerValidationError::NoMatch);
}
Ok(())
}

Relevant piece of code: https://git.pvv.ntnu.no/Projects/mysqladm-rs/src/commit/af86893acf94f49d40cc2b42ff15987cae21e16f/src/server/input_sanitization.rs#L34-L60
Author
Owner

This turned out to be somewhat nontrivial, due to libc not having any good way to fetch all groups. getent(1) is probably the best option, but it requires us to do external command calls and validate whether that tool is available. Leaving for another release.

This turned out to be somewhat nontrivial, due to libc not having any good way to fetch all groups. `getent(1)` is probably the best option, but it requires us to do external command calls and validate whether that tool is available. Leaving for another release.
oysteikt removed this from the Initial release milestone 2024-08-17 22:32:07 +02:00
Sign in to join this conversation.
No description provided.