From a9b7e9e368e79957ef492304bf62742b1304b7bb Mon Sep 17 00:00:00 2001 From: Matthias Clasen Date: Fri, 1 Nov 2013 17:09:25 -0400 Subject: [PATCH] Avoid deleting the root user The check we have in place against deleting the root user can be tricked by exploiting the fact that we are checking a gint64, and then later cast it to a uid_t. This can be seen with the following test, which will delete your root account: qdbus --system org.freedesktop.Accounts /org/freedesktop/Accounts \ org.freedesktop.Accounts.DeleteUser -9223372036854775808 true Found with the dfuzzer tool, https://github.com/matusmarhefka/dfuzzer --- src/daemon.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/daemon.c b/src/daemon.c index 9c9f617..b2720f4 100644 --- a/src/daemon.c +++ b/src/daemon.c @@ -1232,7 +1232,7 @@ daemon_uncache_user (AccountsAccounts *accounts, } typedef struct { - gint64 uid; + uid_t uid; gboolean remove_files; } DeleteUserData; @@ -1314,13 +1314,13 @@ daemon_delete_user (AccountsAccounts *accounts, Daemon *daemon = (Daemon*)accounts; DeleteUserData *data; - if (uid == 0) { + if ((uid_t)uid == 0) { throw_error (context, ERROR_FAILED, "Refuse to delete root user"); return TRUE; } data = g_new0 (DeleteUserData, 1); - data->uid = uid; + data->uid = (uid_t)uid; data->remove_files = remove_files; daemon_local_check_auth (daemon, -- 1.8.4.2