[14254] in Athena Bugs
/etc/athena/cleanup on Solaris (7.7*)
daemon@ATHENA.MIT.EDU (Tom Yu)
Thu Mar 14 18:24:24 1996
Date: Thu, 14 Mar 1996 18:24:18 -0500
To: bugs@MIT.EDU
From: Tom Yu <tlyu@MIT.EDU>
There's a shadowfile clobbering bug. Basically the username wasn't
getting nul-terminated before getpwnam() was being called. strncpy()
doesn't nul-terminate if you don't copy all of the source string,
meaning that getpwnam() got garbage if your previous username was
longer than your current one. *sigh* It's a wonder that no one
noticed this earlier...
Sample patch follows:
--- cleanup.c Sun Aug 14 15:10:31 1994
+++ /tmp/cleanup.c Thu Mar 14 18:18:17 1996
@@ -748,7 +748,11 @@
strcpy(buffer1, buffer);
p = index(buffer1, ':');
if (p) {
- strncpy(username, buffer1,p-buffer1);
+ if (p - buffer1 <= 8)
+ *p = '\0';
+ else
+ buffer1[8] = '\0';
+ strcpy(username, buffer1);
pw = getpwnam(username);
if (pw)
uid = pw-> pw_uid;
Enjoy!
---Tom
