[1190] in linux-security and linux-alert archive
[linux-security] Shadow passwd race condition
daemon@ATHENA.MIT.EDU (Richard Huveneers)
Thu Oct 3 17:19:15 1996
To: linux-security@tarsier.cv.nrao.edu
Date: 2 Oct 1996 12:31:59 GMT
From: richard@hekkihek.hacom.nl (Richard Huveneers)
Reply-To: richard@hekkihek.hacom.nl
There is a race condition in the 'passwd' of the shadow password suite.
It first fills in a struct spwd, then locks the /etc/shadow file and then
writes the structure to the file.
Only the entry might be changed before locking the /etc/shadow file, for
instance, the password might be locked by the sysadmin!
>From a quick grep in the source it looks like 'passwd' is the only tool
which has this bug (the others contain a spw_locate() call).
Regards, Richard.