Hardcoding Prog to known value

See #959. We now set Prog (program name) based on hardcoded value instead of argv[0]. This is to help prevent escape sequence injection.
shadow-maint · Mar 7, 2024 · e6c2e43 · e6c2e43
1 parent d138444
commit e6c2e43
Show file tree

Hide file tree

Showing 37 changed files with 85 additions and 171 deletions.
diff --git a/src/chage.c b/src/chage.c
@@ -45,7 +45,7 @@
 /*
  * Global variables
  */
-const char *Prog;
+static const char Prog[] = "chage";
 
 static bool
  dflg = false, /* set last password change date */
@@ -517,7 +517,7 @@ static void check_perms (void)
  exit (E_NOPERM);
  }
 
- retval = pam_start ("chage", pampw->pw_name, &conv, &pamh);
+ retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 
  if (PAM_SUCCESS == retval) {
  retval = pam_authenticate (pamh, 0);
@@ -771,7 +771,6 @@ int main (int argc, char **argv)
  /*
  * Get the program name so that error messages can use it.
  */
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 
@@ -786,7 +785,7 @@ int main (int argc, char **argv)
 #ifdef WITH_AUDIT
  audit_help_open ();
 #endif
- OPENLOG ("chage");
+ OPENLOG (Prog);
 
  ruid = getuid ();
  rgid = getgid ();

diff --git a/src/check_subid_range.c b/src/check_subid_range.c
@@ -20,14 +20,13 @@
 #include "idmapping.h"
 #include "shadowlog.h"
 
-const char *Prog;
+static const char Prog[] = "check_subid_range";
 
 int main(int argc, char **argv)
 {
  char *owner;
  unsigned long start, count;
  bool check_uids;
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 

diff --git a/src/chfn.c b/src/chfn.c
@@ -39,7 +39,7 @@
 /*
  * Global variables.
  */
-const char *Prog;
+static const char Prog[] = "chfn";
 static char fullnm[BUFSIZ];
 static char roomno[BUFSIZ];
 static char workph[BUFSIZ];
@@ -365,7 +365,7 @@ static void check_perms (const struct passwd *pw)
  * check if the change is allowed by SELinux policy.
  */
  if ((pw->pw_uid != getuid ())
- && (check_selinux_permit ("chfn") != 0)) {
+ && (check_selinux_permit (Prog) != 0)) {
  fprintf (stderr, _("%s: Permission denied.\n"), Prog);
  closelog ();
  exit (E_NOPERM);
@@ -380,7 +380,7 @@ static void check_perms (const struct passwd *pw)
  * --marekm
  */
  if (!amroot && getdef_bool ("CHFN_AUTH")) {
- passwd_check (pw->pw_name, pw->pw_passwd, "chfn");
+ passwd_check (pw->pw_name, pw->pw_passwd, Prog);
  }
 
 #else /* !USE_PAM */
@@ -392,7 +392,7 @@ static void check_perms (const struct passwd *pw)
  exit (E_NOPERM);
  }
 
- retval = pam_start ("chfn", pampw->pw_name, &conv, &pamh);
+ retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 
  if (PAM_SUCCESS == retval) {
  retval = pam_authenticate (pamh, 0);
@@ -620,11 +620,6 @@ int main (int argc, char **argv)
  char *user;
  const struct passwd *pw;
 
- /*
- * Get the program name. The program name is used as a
- * prefix to most error messages.
- */
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 
@@ -641,7 +636,7 @@ int main (int argc, char **argv)
  */
  amroot = (getuid () == 0);
 
- OPENLOG ("chfn");
+ OPENLOG (Prog);
 
  /* parse the command line options */
  process_flags (argc, argv);

diff --git a/src/chgpasswd.c b/src/chgpasswd.c
@@ -36,7 +36,7 @@
 /*
  * Global variables
  */
-const char *Prog;
+static const char Prog[] = "chgpasswd";
 static bool eflg = false;
 static bool md5flg = false;
 #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
@@ -303,7 +303,7 @@ static void check_perms (void)
  exit (1);
  }
 
- retval = pam_start ("chgpasswd", pampw->pw_name, &conv, &pamh);
+ retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 
  if (PAM_SUCCESS == retval) {
  retval = pam_authenticate (pamh, 0);
@@ -423,7 +423,6 @@ int main (int argc, char **argv)
  int errors = 0;
  int line = 0;
 
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 
@@ -441,7 +440,7 @@ int main (int argc, char **argv)
 
  process_flags (argc, argv);
 
- OPENLOG ("chgpasswd");
+ OPENLOG (Prog);
 
  check_perms ();
 

diff --git a/src/chpasswd.c b/src/chpasswd.c
@@ -35,7 +35,7 @@
 /*
  * Global variables
  */
-const char *Prog;
+static const char Prog[] = "chpasswd";
 static bool eflg = false;
 static bool md5flg = false;
 #if defined(USE_SHA_CRYPT) || defined(USE_BCRYPT) || defined(USE_YESCRYPT)
@@ -302,7 +302,7 @@ static void check_perms (void)
  exit (1);
  }
 
- retval = pam_start ("chpasswd", pampw->pw_name, &conv, &pamh);
+ retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 
  if (PAM_SUCCESS == retval) {
  retval = pam_authenticate (pamh, 0);
@@ -450,7 +450,6 @@ int main (int argc, char **argv)
  int errors = 0;
  int line = 0;
 
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 
@@ -476,7 +475,7 @@ int main (int argc, char **argv)
  }
 #endif /* USE_PAM */
 
- OPENLOG ("chpasswd");
+ OPENLOG (Prog);
 
  check_perms ();
 
@@ -546,7 +545,7 @@ int main (int argc, char **argv)
 
 #ifdef USE_PAM
  if (use_pam) {
- if (do_pam_passwd_non_interactive ("chpasswd", name, newpwd) != 0) {
+ if (do_pam_passwd_non_interactive (Prog, name, newpwd) != 0) {
  fprintf (stderr,
  _("%s: (line %d, user %s) password not changed\n"),
  Prog, line, name);

diff --git a/src/chsh.c b/src/chsh.c
@@ -46,7 +46,7 @@
 /*
  * Global variables
  */
-const char *Prog;  /* Program name */
+static const char Prog[] = "chsh"; /* Program name */
 static bool amroot; /* Real UID is root */
 static char loginsh[BUFSIZ]; /* Name of new login shell */
 /* command line options */
@@ -319,7 +319,7 @@ static void check_perms (const struct passwd *pw)
  * check if the change is allowed by SELinux policy.
  */
  if ((pw->pw_uid != getuid ())
- && (check_selinux_permit("chsh") != 0)) {
+ && (check_selinux_permit(Prog) != 0)) {
  SYSLOG ((LOG_WARN, "can't change shell for '%s'", pw->pw_name));
  fprintf (stderr,
  _("You may not change the shell for '%s'.\n"),
@@ -336,7 +336,7 @@ static void check_perms (const struct passwd *pw)
  * chfn/chsh. --marekm
  */
  if (!amroot && getdef_bool ("CHSH_AUTH")) {
- passwd_check (pw->pw_name, pw->pw_passwd, "chsh");
+ passwd_check (pw->pw_name, pw->pw_passwd, Prog);
  }
 
 #else /* !USE_PAM */
@@ -348,7 +348,7 @@ static void check_perms (const struct passwd *pw)
  exit (E_NOPERM);
  }
 
- retval = pam_start ("chsh", pampw->pw_name, &conv, &pamh);
+ retval = pam_start (Prog, pampw->pw_name, &conv, &pamh);
 
  if (PAM_SUCCESS == retval) {
  retval = pam_authenticate (pamh, 0);
@@ -473,11 +473,6 @@ int main (int argc, char **argv)
 
  sanitize_env ();
 
- /*
- * Get the program name. The program name is used as a prefix to
- * most error messages.
- */
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 
@@ -492,7 +487,7 @@ int main (int argc, char **argv)
  */
  amroot = (getuid () == 0);
 
- OPENLOG ("chsh");
+ OPENLOG (Prog);
 
  /* parse the command line options */
  process_flags (argc, argv);

diff --git a/src/expiry.c b/src/expiry.c
@@ -25,7 +25,7 @@
 #include "shadowlog.h"
 
 /* Global variables */
-const char *Prog;
+static const char Prog[] = "expiry";
 static bool cflg = false;
 
 /* local function prototypes */
@@ -125,7 +125,6 @@ int main (int argc, char **argv)
  struct passwd *pwd;
  struct spwd *spwd;
 
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 
@@ -147,7 +146,7 @@ int main (int argc, char **argv)
  (void) bindtextdomain (PACKAGE, LOCALEDIR);
  (void) textdomain (PACKAGE);
 
- OPENLOG ("expiry");
+ OPENLOG (Prog);
 
  process_flags (argc, argv);
 

diff --git a/src/faillog.c b/src/faillog.c
@@ -40,7 +40,7 @@ static void reset (void);
 /*
  * Global variables
  */
-const char *Prog;  /* Program name */
+static const char Prog[] = "faillog"; /* Program name */
 static FILE *fail; /* failure file stream */
 static time_t seconds; /* that number of days in seconds */
 static unsigned long umin; /* if uflg and has_umin, only display users with uid >= umin */
@@ -510,11 +510,6 @@ int main (int argc, char **argv)
  short fail_max = 0; // initialize to silence compiler warning
  long days = 0;
 
- /*
- * Get the program name. The program name is used as a prefix to
- * most error messages.
- */
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 

diff --git a/src/free_subid_range.c b/src/free_subid_range.c
@@ -9,7 +9,7 @@
 
 /* Test program for the subid freeing routine */
 
-const char *Prog;
+static const char Prog[] = "free_subid_range";
 
 static void usage(void)
 {
@@ -25,7 +25,6 @@ int main(int argc, char *argv[])
  struct subordinate_range range;
  bool group = false; // get subuids by default
 
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
  while ((c = getopt(argc, argv, "g")) != EOF) {

diff --git a/src/get_subid_owners.c b/src/get_subid_owners.c
@@ -6,7 +6,7 @@
 #include "prototypes.h"
 #include "shadowlog.h"
 
-const char *Prog;
+static const char Prog[] = "get_subid_owners";
 
 static void usage(void)
 {
@@ -21,7 +21,6 @@ int main(int argc, char *argv[])
  int i, n;
  uid_t *uids;
 
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
  if (argc < 2) {

diff --git a/src/getsubids.c b/src/getsubids.c
@@ -7,7 +7,7 @@
 #include "prototypes.h"
 #include "shadowlog.h"
 
-const char *Prog;
+static const char Prog[] = "getsubids";
 
 static void usage(void)
 {
@@ -23,7 +23,6 @@ int main(int argc, char *argv[])
  struct subid_range *ranges;
  const char *owner;
 
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
  if (argc < 2)

diff --git a/src/gpasswd.c b/src/gpasswd.c
@@ -43,7 +43,7 @@
  * Global variables
  */
 /* The name of this command, as it is invoked */
-const char *Prog;
+static const char Prog[] = "gpasswd";
 
 #ifdef SHADOWGRP
 /* Indicate if shadow groups are enabled on the system
@@ -942,11 +942,10 @@ int main (int argc, char **argv)
  * with this command.
  */
  bywho = getuid ();
- Prog = Basename (argv[0]);
  log_set_progname(Prog);
  log_set_logfd(stderr);
 
- OPENLOG ("gpasswd");
+ OPENLOG (Prog);
  setbuf (stdout, NULL);
  setbuf (stderr, NULL);