libnss_tcb: Disallow potentially-malicious user names in getspnam(3).

Signed-off-by: Björn Esser <[email protected]>

ChangeLog

@@ -1,3 +1,9 @@
+2021-12-20  Björn Esser  <besser82 at fedoraproject.org>
+
+	libnss_tcb: Disallow potentially-malicious user names in getspnam(3).
+	* libs/nss.c (_nss_tcb_getspnam_r): Check for potentially-malicious
+	user names, and bail out in case.
+
 2021-12-18  Björn Esser  <besser82 at fedoraproject.org>
 
 	libtcb: Add versioning to exported symbols.

libs/nss.c

@@ -27,6 +27,31 @@ int _nss_tcb_endspent(void)
 	return 1;
 }
 
+/* IEEE Std 1003.1-2001 allows only the following characters to appear
+   in group- and usernames: letters, digits, underscores, periods,
+   <at>-signs (@), and dashes.   The name may not start with a dash or @.
+   The "$" sign is allowed at the end of usernames to allow typical
+   Samba machine accounts.  Regex: ^[a-z_.][[email protected]]*[$]$ */
+static int
+is_valid_username (const char *un)
+{
+	if (!un || !strlen(un) || un[0] == '-' || un[0] == '@' ||
+	    /* dirsep || curdir || parentdir */
+	    strchr(un, '/') || !strcmp(un, ".") || !strcmp(un, ".."))
+		return 0;
+
+	int retval = 1;
+	size_t unlen = strlen(un);
+
+	for (size_t i = 0; !retval && i < unlen; i++) {
+	char c = un[i];
+	retval = ((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') ||
+	    (c >= '0' && c <= '9') || c == '-' || c == '.' ||
+	    c == '@' || c == '_' || (i == unlen - 1 && c == '$'));
+	}
+	return retval;
+}
+
 static FILE *tcb_safe_open(const char *file, const char *name)
 {
 	gid_t grplist[TCB_NGROUPS];
@@ -64,6 +89,10 @@ int _nss_tcb_getspnam_r(const char *name, struct spwd *__result_buf,
 	char *file;
 	int retval, saved_errno;
 
+	/* Disallow potentially-malicious user names */
+	if (!is_valid_username(name))
+		return NSS_STATUS_NOTFOUND;
+
 	if (asprintf(&file, TCB_FMT, name) < 0)
 		return NSS_STATUS_TRYAGAIN;
 	f = tcb_safe_open(file, name);