logoutd(8) seems very broken

Lines 208 to 214 in a6eb312

    
           if (strncmp (ut->ut_line, "/dev/", 5) != 0) { 
        
           	strcpy (tty_name, "/dev/"); 
        
           } else { 
        
           	tty_name[0] = '\0'; 
        
           } 
        
           strncat(tty_name, ut->ut_line, NITEMS(ut->ut_line));

This seems like it should result in "/dev//dev/whatever".

Let's assume the first branch happens:

strcpy (tty_name, "/dev/");
strncat(tty_name, ut->ut_line, NITEMS(ut->ut_line));

Which is catenating a prefix of the string with the string itself, thus duplicating the prefix.

I suspect this results in an unconditional failure in the subsequent open(2) call:

shadow/src/logoutd.c

Lines 218 to 224 in a6eb312

    
           tty_fd = 
        
               open (tty_name, O_WRONLY | O_NDELAY | O_NOCTTY); 
        
           if (tty_fd != -1) { 
        
           	send_mesg_to_tty (tty_fd); 
        
           	close (tty_fd); 
        
           	sleep (10); 
        
           }

Is this daemon highly broken?

Also, who uses this daemon? The only distro that seems to provide it is OpenWRT (AFICS).

@neheb You seem to maintain https://github.com/openwrt/packages/commits/2b7369c323ac232ccb39f0321c5b86053a29b263/utils/shadow/Makefile; can you reproduce this on OpenWRT?

This issue has been there since 45c6603 ("[svn-upgrade] Integrating new upstream version, shadow (19990709)"), a.k.a., forever.

Ahhh, no, it's != 0. I misread. Sorry. :-)

	if (strncmp (ut->ut_line, "/dev/", 5) != 0) {
	strcpy (tty_name, "/dev/");
	} else {
	tty_name[0] = '\0';
	}

	strncat(tty_name, ut->ut_line, NITEMS(ut->ut_line));

	tty_fd =
	open (tty_name, O_WRONLY \| O_NDELAY \| O_NOCTTY);
	if (tty_fd != -1) {
	send_mesg_to_tty (tty_fd);
	close (tty_fd);
	sleep (10);
	}