71144 – Really don't delete the root user

Bug 71144 - Really don't delete the root user

Summary: Really don't delete the root user

Status:	RESOLVED FIXED

Alias:	None

Product:	accountsservice
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	Other All

Importance:	medium normal
Assignee:	Matthias Clasen
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2013-11-01 21:13 UTC by Matthias Clasen
Modified:	2013-11-05 00:02 UTC (History)
CC List:	3 users (show)

See Also:
i915 platform:
i915 features:

Attachments
patch (1.53 KB, text/plain) 2013-11-01 21:13 UTC, Matthias Clasen	Details
View All

Description Matthias Clasen 2013-11-01 21:13:31 UTC

Created attachment 88513 [details]
patch

The check we have in place against deleting the root user can
be tricked by exploiting the fact that we are checking a gint64,
and then later cast it to a uid_t. This can be seen with the
following test, which will delete your root account:

qdbus --system org.freedesktop.Accounts /org/freedesktop/Accounts \
     org.freedesktop.Accounts.DeleteUser -9223372036854775808 true

Found with the dfuzzer tool,
https://github.com/matusmarhefka/dfuzzer

Comment 1 Ray Strode [halfline] 2013-11-05 00:02:40 UTC

thanks, pushed!

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.