15385 – Results from "getent group" may be truncated with nss_db

Bug 15385 - Results from "getent group" may be truncated with nss_db

Summary: Results from "getent group" may be truncated with nss_db

Status:	NEW

Alias:	None

Product:	glibc
Classification:	Unclassified
Component:	nss (show other bugs)
Version:	2.15

Importance:	P2 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-04-22 22:11 UTC by Warren Jones
Modified:	2015-08-27 21:54 UTC (History)
CC List:	4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:

Flags:	fweimer: security+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Warren Jones 2013-04-22 22:11:05 UTC

The results from "getent group" may be truncated when using nss_db.  This will happen when getgrent() encounters a group entry long enough to overflow the default 1024 byte buffer.  getgrent() sets errno to ERANGE and returns NULL, but getent fails to check errno, and truncates the results at this point.

Two things make me suspect that this failure is avoidable:

  1. Requesting a specific long group entry will return it in full, e.g.:

         getent group myverylonggroup

  2. Our local configuration in /etc/nsswitch.conf looks like this:

         group:  files db

     Long entries in group.db will cause output from "getent group" to be truncated as described, but if I add a long entry to /etc/group, it will be output in full, along with all subsequent entries in group.db.  It appears that that nss_files will grow the buffer as required, and then the expanded buffer is used by nss_db.

Comment 1 Florian Weimer 2014-06-13 18:22:01 UTC

As groups can be used to deny privileges (see DenyGroups in OpenSSH), this is a potential minor security issue.