Re: Varlink JSON parser considering "\" unsafe only in group memberships?

[Lennart Poettering <lennart@xxxxxxxxxxxxxx>]

On Do, 09.02.23 12:34, Samuel Cabrero (scabrero@xxxxxxx) wrote:

> Hi,
>
> I have implemented a PoC of the user and group record lookup via
> Varlink in Samba and I have found that the JSON parser considers the
> "\" character unsafe. This prevents domain names parsing because it is
> used to split the domain name and user name parts [1],
> e.g. DOMAIN\user

This has nothing to do with JSON or not JSON, but is simply enforced
by systemd's user naming regime. See here for details:

https://systemd.io/USER_NAMES/

If you ask me: it's an abysmal idea to embed backslashes into user
names, which pretty universally on UNIX is used as an escape
character, and thus will just create problems here and
everywhere. It's also against POSIX, for whatever that's worth.

That said, as per the docs above: we actually have the rule that we
refuse things like backslashes when systemd itself is used to allocate
a user, i.e. if we "own" the user/group, then we will not allow such
things. In your case it's pretty clear though that Samba/winbind own
the user, hence what you are running into is clearly a bug on our
side: if you pick that name for one of your own users we should be
able to deal with it, and consume it, or transport it and not refuse.

Hence, can you file a bug about this on github, asking us to relax
those specific checks? (even better provide a patch)

> My question is why is this printable character considered unsafe? I
> have traced it down to the string_is_safe() function [2] and the
> comments there suggest that it should only check for quotes and control
> chars.

it creates needless ambiguities because you never know if the string
is just escaped, or actually names that way. Given that user names are
a first class concept for authentication purposes it's a really good
idea to avoid such ambiguities that could potentially be used for
exploits.

Lennart

--
Lennart Poettering, Berlin