[167] in linux-security and linux-alert archive
Important security fix to getpwnam.c
daemon@ATHENA.MIT.EDU (Swen Thuemmler)
Wed Mar 15 07:54:45 1995
Date: Wed, 15 Mar 1995 10:33:42 +0100 (MET)
From: Swen Thuemmler <swen@uni-paderborn.de>
To: Linux GCC <linux-gcc@vger.rutgers.edu>
cc: "H.J. Lu" <hjl@nynexst.com>, linux-security@tarsier.cv.nrao.edu
Hello all,
the following patch fixes a security hole present in the current libc
code. The bug allowes anyone to become root if you have the entry
+::0:0::: in /etc/passwd, and it allows anyone to become the user, whose
entry is before an entry starting with a "+" in /etc/passwd, e.g. if you
have
man:*:13:15:man:/usr/man:
postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
ftp:*:404:1::/home/ftp:/bin/bash
+@mygroup
-@hackers
+
in /etc/passwd, then the commands
su +@mygroup
su -- -@hackers
su +
will su to ftp without a password. This bug not only affects su, but also
login, rlogin, rsh etc. The only fix is to disable NIS or to put a -1 in
the uid and gid fields of the +-Entries (this will still anyone allow to
login, but only with a uid and gid of 65535.
Now where is the hole i can crawl into ...
--Swen
diff -u -r2.7 -r2.6
--- 2.7 1995/03/15 09:02:37
+++ 2.6 1995/03/03 16:17:53
@@ -63,6 +63,8 @@
return(NULL);
while ((p = __pwdread(stream, info)) != NULL)
{
+ if (!strcmp(p->pw_name, name))
+ break;
#ifdef YP
if (NULL == stored_pwd)
stored_pwd = __nis_alloc_pwd_args();
@@ -118,8 +120,6 @@
break;
}
#endif;
- if (0 == strcmp(p->pw_name, name))
- break;
}
(void) fclose(stream);
return(p);
