[systemd-devel] Varlink JSON parser considering "\" unsafe only in group memberships?

Samuel Cabrero scabrero at suse.de
Thu Feb 9 11:34:45 UTC 2023


Hi,

I have implemented a PoC of the user and group record lookup via
Varlink in Samba and I have found that the JSON parser considers the
"\" character unsafe. This prevents domain names parsing because it is
used to split the domain name and user name parts [1], e.g. DOMAIN\user

My question is why is this printable character considered unsafe? I
have traced it down to the string_is_safe() function [2] and the
comments there suggest that it should only check for quotes and control
chars.

Moreover, it seems that only memberships go through the function. Users
and groups without members are correctly parsed, but memberships
aren't:

samba at varlink:~> SYSTEMD_LOG_LEVEL=7 getent -spasswd:systemd passwd
"AFOREST\\buser1"

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userNa
me":"AFOREST\\buser1","service":"org.samba.winbind"}}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"parameters":{"incomplete":false,"record":{"gid":20513,"homeDirectory"
:"/home/AFOREST/buser1","service":"org.samba.winbind","shell":"/bin/bas
h","uid":25264,"userName":"AFOREST\\buser1"}}}

AFOREST\buser1:x:25264:20513:AFOREST\buser1:/home/AFOREST/buser1:/bin/b
ash




samba at varlink:~> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group
"AFOREST\\bgroup2"

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"group
Name":"AFOREST\\bgroup2","service":"org.samba.winbind"}}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"parameters":{"incomplete":false,"record":{"gid":25275,"groupName":"AF
OREST\\bgroup2","service":"org.samba.winbind"}}}

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"group
Name":"AFOREST\\bgroup2","service":"org.samba.winbind"},"more":true}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"error":"io.systemd.UserDatabase.NoRecordFound"}

Got lookup error: io.systemd.UserDatabase.NoRecordFound

AFOREST\bgroup2:x:25275:




samba at varlink:~> SYSTEMD_LOG_LEVEL=7 getent -sgroup:systemd group
"AFOREST\\bgroup1"

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetGroupRecord","parameters":{"group
Name":"AFOREST\\bgroup1","service":"org.samba.winbind"}}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"parameters":{"incomplete":false,"record":{"gid":25274,"groupName":"AF
OREST\\bgroup1","members":["AFOREST\\buser1"],"service":"org.samba.winb
ind"}}}

/run/systemd/userdb/org.samba.winbind: Sending message:
{"method":"io.systemd.UserDatabase.GetMemberships","parameters":{"group
Name":"AFOREST\\bgroup1","service":"org.samba.winbind"},"more":true}

/run/systemd/userdb/org.samba.winbind: New incoming message:
{"parameters":{"groupName":"AFOREST\\bgroup1","userName":"AFOREST\\buse
r1"}}

(string):1:28: JSON field 'groupName' contains unsafe characters,
refusing.

[1]
https://learn.microsoft.com/en-us/windows/win32/secauthn/user-name-formats#down-level-logon-name

[2]
https://github.com/systemd/systemd/blob/main/src/basic/string-util.c#L990


-- 
Samuel Cabrero / SUSE Labs Samba Team
GPG: D7D6 E259 F91C F0B3 2E61 1239 3655 6EC9 7051 0856
scabrero at suse.com
scabrero at suse.de


More information about the systemd-devel mailing list