Bug 71144

Summary: Really don't delete the root user
Product: accountsservice Reporter: Matthias Clasen <mclasen>
Component: generalAssignee: Matthias Clasen <mclasen>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium CC: marius.vollmer, rstrode, stefw
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: patch

Description Matthias Clasen 2013-11-01 21:13:31 UTC
Created attachment 88513 [details]
patch

The check we have in place against deleting the root user can
be tricked by exploiting the fact that we are checking a gint64,
and then later cast it to a uid_t. This can be seen with the
following test, which will delete your root account:

qdbus --system org.freedesktop.Accounts /org/freedesktop/Accounts \
     org.freedesktop.Accounts.DeleteUser -9223372036854775808 true

Found with the dfuzzer tool,
https://github.com/matusmarhefka/dfuzzer
Comment 1 Ray Strode [halfline] 2013-11-05 00:02:40 UTC
thanks, pushed!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.