Varlink JSON parser considering "\" unsafe only in group memberships?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I have implemented a PoC of the user and group record lookup via
Varlink in Samba and I have found that the JSON parser considers the
"\" character unsafe. This prevents domain names parsing because it is
used to split the domain name and user name parts [1], e.g. DOMAIN\user

My question is why is this printable character considered unsafe? I
have traced it down to the string_is_safe() function [2] and the
comments there suggest that it should only check for quotes and control
chars.

Moreover, it seems that only memberships go through the function. Users
and groups without members are correctly parsed, but memberships
aren't:

samba@varlink:~> SYSTEMD_LOG_LEVEL=7 getent -spasswd:systemd passwd
"AFOREST\\buser1"

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userNa
me":"AFOREST\\buser1","service":"org.samba.winbind"}}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory"
:"/home/AFOREST/buser1","service":"org.samba.winbind","shell":"/bin/bas
h","uid":25264,"userName":"AFOREST\\buser1"}}}

AFOREST\buser1:x:25264:20513:AFOREST\buser1:/home/AFOREST/buser1:/bin/b
ash




samba@varlink:~> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group
"AFOREST\\bgroup2"

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"group
Name":"AFOREST\\bgroup2","service":"org.samba.winbind"}}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"parameters":{"incomplete":false,"record":{"gid":25275,"groupName":"AF
OREST\\bgroup2","service":"org.samba.winbind"}}}

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"group
Name":"AFOREST\\bgroup2","service":"org.samba.winbind"},"more":true}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"error":"io.systemd.UserDatabase.NoRecordFound"}

Got lookup error: io.systemd.UserDatabase.NoRecordFound

AFOREST\bgroup2:x:25275:




samba@varlink:~> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group
"AFOREST\\bgroup1"

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"group
Name":"AFOREST\\bgroup1","service":"org.samba.winbind"}}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"parameters":{"incomplete":false,"record":{"gid":25274,"groupName":"AF
OREST\\bgroup1","members":["AFOREST\\buser1"],"service":"org.samba.winb
ind"}}}

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"group
Name":"AFOREST\\bgroup1","service":"org.samba.winbind"},"more":true}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"parameters":{"groupName":"AFOREST\\bgroup1","userName":"AFOREST\\buse
r1"}}

(string):1:28: JSON field 'groupName' contains unsafe characters,
refusing.

[1]
https://learn.microsoft.com/en-us/windows/win32/secauthn/user-name-formats#down-level-logon-name

[2]
https://github.com/systemd/systemd/blob/main/src/basic/string-util.c#L990


-- 
Samuel Cabrero / SUSE Labs Samba Team
GPG: D7D6 E259 F91C F0B3 2E61 1239 3655 6EC9 7051 0856
scabrero@xxxxxxxx
scabrero@xxxxxxx
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux