[1307] in bugtraq
Re: GNU finger 1.37 executes ~/.fingerrc with gid root
daemon@ATHENA.MIT.EDU (Christian Wettergren)
Mon Mar 20 08:10:21 1995
To: "Thomas Roessler" <roessler@sobolev.cologne.de>
Cc: bug-gnu-utils@gnu.ai.mit.edu, bugtraq@fc.net
In-Reply-To: Your message of Fri, 17 Mar 95 12:42:02 +0100.
<199503171142.MAA00266@sobolev.cologne.de>
Date: Mon, 20 Mar 95 11:26:04 +0100
From: Christian Wettergren <cwe@it.kth.se>
| There is a bug in the `lib/site/userinfo.c' module of GNU finger version
| 1.37 allowing any user on a system to execute arbitrary commands with gid
| root from ~/.fingerrc. The problem is that GNU finger *first* changes its
| userid thus giving away root privileges and *then* tries to change its gid
| which will not succeed.
I would feel much more comfortable if the return values of setuid() and
setgid() was checked. The current setup assumes the daemon is run as root.
If it is not (it wasn't at our site of "historical" reasons) it will
keep it's spawned identity, not changing it at all. Without discovering this.
| /* Set uid/gid */
| - setuid (user->pw_uid);
| setgid (user->pw_gid);
|
| /* Set default directory */
| chdir (user->pw_dir);
|
| /* Run ~/.fingerrc through user shell */
| #ifdef FINGERRC_SHELL
| execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
| #else
| execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
| #endif
/Christian Wettergren, cwe@it.kth.se
