[882] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] sudo passwd wrapper

daemon@ATHENA.MIT.EDU (Mark Whitis)
Fri Jul 5 13:17:56 1996

Date: Thu, 4 Jul 1996 20:40:42 -0400 (EDT)
From: Mark Whitis <whitis@dbd.com>
To: Adam Solesby <adam@saucy.shack.com>
cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199607011841.NAA09666@saucy.shack.com>

Other people have already pointed out various serious bugs in
this program involving the environment and system() calls
and buffer overflows before I even read your message.
Here is one which is pretty obvious.

On Mon, 1 Jul 1996, Adam Solesby wrote:

> 	/* array of users that should not be changed */
> 	char * NOCHANGE[NUM_NOCHANGE] = { "root", "adam" };

How about: "bin", "daemon", "adm", "lp", "mail","news","uucp","operator",
"games", "gopher", "ftp", and even "nobody"?  Also "sync", "shutdown", 
and "halt"?

1.   chpw  bin
2.   chsh bin 
3.   login bin
4.   bad stuff

The privilidge accounts (such as "bin","daemon",...) can be
used to gain new priviledges and the "unpriviledged" accounts
such as "nobody" can still be used to create a back door for future
access to the system (even "nobody" can read /etc/passwd).
These holes can be exploited by either the
your semi-trusted assistants or anyone who they inadvertantly
allow to snoop their activities by careless actions over the net.

The method of checking against a list of exclussions is a bad idea in
the first place:
  - You can easily omit important values.  You missed about 15.
  - If you add a priviledged or other non-user account later,
    it won't be on your list.
  - it is vulnerable to string equality problems.  If "operator"
    is in your exclusion list, it does not match "operatorxyz"
    which on some systems is equivalent (user names being limited
    to 8 chars).  Fortunately, Npasswd as distributed with
    redhat 3.0.3 does not have this problem.
A safe uid range would be better or a list of allowed usernames
stored in a file (such as "/etc/pleebs") which can only be changed
by root and which is automatically updated by your add user script.

---------------------------------------------------------------------------
---  Mark Whitis <whitis@dbd.com>     WWW:  http://www.dbd.com/~whitis/ ---
---  428-B Moseley Drive; Charlottesville, VA 22903        804-962-4268 ---
---------------------------------------------------------------------------


home help back first fref pref prev next nref lref last post