A very little Display Manager and an obstacle
Moderator: Developer
A very little Display Manager and an obstacle
Hi!
I wrote a very little and home-made Display Manager.
https://sites.google.com/view/easydisplaymanager/home
It's got a limited set of features, and it's only a proof of concept.
The obstacle (for me) is that I (as a bash scripter with bare C know-how) can check user password only with "shadow.h" header (that is a linuxism).
How to check passwords in BSD?
I wrote a very little and home-made Display Manager.
https://sites.google.com/view/easydisplaymanager/home
It's got a limited set of features, and it's only a proof of concept.
The obstacle (for me) is that I (as a bash scripter with bare C know-how) can check user password only with "shadow.h" header (that is a linuxism).
How to check passwords in BSD?
Re: A very little Display Manager and an obstacle
please redo the tar file and avoid to use a path that start with .. is it considered bad practice, often used by malicious software, in fact bsdtar refuse to extract the files.
"../../../home/vittorio/Programmi/EasyDM/... "
"../../../home/vittorio/Programmi/EasyDM/... "
Re: A very little Display Manager and an obstacle
Hi vaisarger,
just wanted to give your DM a try on a spare machine. Unfortunately the tarball that you uploaded is messed up: You've somehow managed to include relative paths into it ("/../../../home/vittorio/Programmi/") which prevents tar from extracting it normally. The engrampa archive manager that comes with GhostBSD/MATE also fails on this. It claims to have extracted the files but actually hasn't.
I had one such file in the past and somehow managed to extract files from it... But I don't remember exactly how I did it (it was a major pain, though). So you probably want to rebuild your tarball to just include the EasyDM directory? I'll give it a shot then.
just wanted to give your DM a try on a spare machine. Unfortunately the tarball that you uploaded is messed up: You've somehow managed to include relative paths into it ("/../../../home/vittorio/Programmi/") which prevents tar from extracting it normally. The engrampa archive manager that comes with GhostBSD/MATE also fails on this. It claims to have extracted the files but actually hasn't.
I had one such file in the past and somehow managed to extract files from it... But I don't remember exactly how I did it (it was a major pain, though). So you probably want to rebuild your tarball to just include the EasyDM directory? I'll give it a shot then.
Re: A very little Display Manager and an obstacle
see " man getpwent " and related funtions.vaisarger wrote: The obstacle (for me) is that I (as a bash scripter with bare C know-how) can check user password only with "shadow.h" header (that is a linuxism).
How to check passwords in BSD?
I would expect that to be portable, being under POSIX compliance
Re: A very little Display Manager and an obstacle
Thank you both for your tips.
Kraileth, I'm sorry, I just used "Compress the directory" option in File Manager menu, like "Extract here". I was not aware of this problem. Anyway I've just uploaded an other tarball without that issue, I used "tar" command in a terminal, to avoid such a joke.
Please consider my program is very basic and doesn't support many features you would expect from a DM (e.g. the current time displayed, or the locals/keymaps). Nonetheless it has those basic features which I need (all users displayed and ready to click, and some other basic settings) Furthermore, it's in far early stage of development: more, it's really a baby!
Thank you anyway to give it a try, I look forward to listen your opinions/suggestions on it.
ASX, I already saw that library, but I would prefer (if possible) a bare and direct C source, since my C knowledge is so limited. I know " 'shadow.h' way" just because I copied and modified it from an other open source project to sort out a certain situation at work.
I apologize, I'm basically just a shell scripter...
Kraileth, I'm sorry, I just used "Compress the directory" option in File Manager menu, like "Extract here". I was not aware of this problem. Anyway I've just uploaded an other tarball without that issue, I used "tar" command in a terminal, to avoid such a joke.
Please consider my program is very basic and doesn't support many features you would expect from a DM (e.g. the current time displayed, or the locals/keymaps). Nonetheless it has those basic features which I need (all users displayed and ready to click, and some other basic settings) Furthermore, it's in far early stage of development: more, it's really a baby!
Thank you anyway to give it a try, I look forward to listen your opinions/suggestions on it.
ASX, I already saw that library, but I would prefer (if possible) a bare and direct C source, since my C knowledge is so limited. I know " 'shadow.h' way" just because I copied and modified it from an other open source project to sort out a certain situation at work.
I apologize, I'm basically just a shell scripter...
Re: A very little Display Manager and an obstacle
ok, the tarball is now OK, downloaded it and took a fast look.
hmm ...
It would be very easy to make your program crash upon the first snprint() call, just type in a string longer than 100 chars ... for something that has to deal with security and access control is not a good start, please see snprintf().
getspnam() is a GNU extension and is not part of POSIX, and in fact is not implemented in freebsd, you have to change approach and if portability is desired you have to crosscheck the functions you are using are implemented on all system you are going to support. (or you can use conditional statements to allow for different code depending on OS),
please check this for a start:
http://pubs.opengroup.org/onlinepubs/9699919799/ search for "getpwent", you will find code example for many functions too.
hmm ...
Code: Select all
...
char parola_da_cryptare[100];
char utente[100];
struct spwd * dati_da_etc_passwd ;
char *puntatore_a_parola_da_cryptare ;
sprintf(parola_da_cryptare,"%s",argv[1]);
sprintf(utente,"%s",argv[2]);
dati_da_etc_passwd=getspnam(utente);
...
getspnam() is a GNU extension and is not part of POSIX, and in fact is not implemented in freebsd, you have to change approach and if portability is desired you have to crosscheck the functions you are using are implemented on all system you are going to support. (or you can use conditional statements to allow for different code depending on OS),
please check this for a start:
http://pubs.opengroup.org/onlinepubs/9699919799/ search for "getpwent", you will find code example for many functions too.
Re: A very little Display Manager and an obstacle
ASX, thank you very much for your tip!
I at last managed to check password in *BSD too!
Actually, it was so trivial... sometimes I'm surprised in BSD world by this: my mind is used to complicate itself, but things are so easy, why make them more complicate? (It's difficult to explain this sensation... ).
Anyway, POSIX authentication is very similar to "shadow" GNU way, the only difference is you have to fetch data through a loop:
and in the structure "pwd" (struct passwd * pwd ) there is everything: user name, uid, and so forth, and , obviously the user password.
Now I can implement this in my little, home made, Display Manager "EasyDM".
It might be a safer limit, isn't it?
Kraileth, did you look at my DM? Have you suggestions about, to make it better?
I at last managed to check password in *BSD too!
Actually, it was so trivial... sometimes I'm surprised in BSD world by this: my mind is used to complicate itself, but things are so easy, why make them more complicate? (It's difficult to explain this sensation... ).
Anyway, POSIX authentication is very similar to "shadow" GNU way, the only difference is you have to fetch data through a loop:
Code: Select all
while((pwd = getpwent()) != NULL)
{
if (strcmp(pwd->pw_name,user)==0)
{
....
....
and in the structure "pwd" (struct passwd * pwd ) there is everything: user name, uid, and so forth, and , obviously the user password.
Now I can implement this in my little, home made, Display Manager "EasyDM".
Well... I didn't notice that vulnerability. I'll increase char memory allocation to 1000 chars.It would be very easy to make your program crash upon the first snprint() call, just type in a string longer than 100 chars ... for something that has to deal with security and access control is not a good start, please see snprintf().
It might be a safer limit, isn't it?
Kraileth, did you look at my DM? Have you suggestions about, to make it better?
Re: A very little Display Manager and an obstacle
very welcome, and nice to see you are progressing!vaisarger wrote:ASX, thank you very much for your tip!
No, by extending the buffer size, you only change the amount of chars needed to overflow the buffer, it will be still vulnerable.Well... I didn't notice that vulnerability. I'll increase char memory allocation to 1000 chars.
It might be a safer limit, isn't it?
What is needed here is to deal safely with any unexpected input string, specifically you need to copy into the buffer only N-1 byte, where N is the buffer size.
snprintf(parola_da_cryptare, N-1, "%s",argv[1]);
This way only N-1 bytes will be copied into the buffer 'parola_da_cryptare' , no matter how long will be argv[1]
Re: A very little Display Manager and an obstacle
Very interesting...
But... (maybe a stupid question) if arg1 is "12345", then N-1, "parola_da_cryptare" now is: "1234“?
Or is the last char considered the special final char ("\0")?
But... (maybe a stupid question) if arg1 is "12345", then N-1, "parola_da_cryptare" now is: "1234“?
Or is the last char considered the special final char ("\0")?
Re: A very little Display Manager and an obstacle
back to your own code:vaisarger wrote:Very interesting...
But... (maybe a stupid question) if arg1 is "12345", then N-1, "parola_da_cryptare" now is: "1234“?
Or is the last char considered the special final char ("\0")?
Code: Select all
...
char parola_da_cryptare[100]; <<<<<=======- N = 100
char utente[100];
struct spwd * dati_da_etc_passwd ;
char *puntatore_a_parola_da_cryptare ;
sprintf(parola_da_cryptare,"%s",argv[1]);
sprintf(utente,"%s",argv[2]);
dati_da_etc_passwd=getspnam(utente);
using
Code: Select all
snprintf(parola_da_cryptare, 100-1, argv[1]);
That is, you will never exceed the 100 bytes lenght, which is the size of your buffer.
Of course, same thing may apply to your other char array 'utente'.
Hope that is clearer.