Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAATysseGvKC4HoQeCWJuceeqm88rGqLHY6iTsnq3EM-8=a_t4A@mail.gmail.com>
Date: Thu, 13 Dec 2012 17:37:44 +0100
From: "Simon ." <bofh666ftw@...glemail.com>
To: oss-security@...ts.openwall.com
Subject: pacemaker strcmp

Hi,

I might have overlooked something. Starting from Line 39, if pacemaker
is compiled with ACL
support:

https://github.com/ClusterLabs/pacemaker/blob/master/include/crm_internal.h#L39

Once a user root\0bar is created, and CRM_DAEMON_USER is #undef we can return
TRUE. Haven't looked into further details here and I think no sane
admin will ever allow
such a user. What do you guys think?



/* For ACLs */
char *uid2username(uid_t uid);
void determine_request_user(char *user, xmlNode * request, const char *field);

# if ENABLE_ACL
# include <string.h>
static inline gboolean
is_privileged(const char *user)
{
    if (user == NULL) {
        return FALSE;
    } else if (strcmp(user, CRM_DAEMON_USER) == 0) { <------------- #undef ?
        return TRUE;
    } else if (strcmp(user, "root") == 0) { <------------------- err
        return TRUE;
    }
    return FALSE;
}
# endif

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.