From owner-freebsd-bugs Sun Jan 26 03:20:04 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA02336 for bugs-outgoing; Sun, 26 Jan 1997 03:20:04 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id DAA02330; Sun, 26 Jan 1997 03:20:02 -0800 (PST) Resent-Date: Sun, 26 Jan 1997 03:20:02 -0800 (PST) Resent-Message-Id: <199701261120.DAA02330@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, proff@iq.org Received: from profane.iq.org (profane.iq.org [203.4.184.217]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA02226; Sun, 26 Jan 1997 03:17:10 -0800 (PST) Received: (from proff@localhost) by profane.iq.org (8.8.4/8.8.2) id WAA16474; Sun, 26 Jan 1997 22:17:20 +1100 (EST) Message-Id: <199701261117.WAA16474@profane.iq.org> Date: Sun, 26 Jan 1997 22:17:20 +1100 (EST) From: Julian Assange Reply-To: proff@iq.org To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/2593: [small] security hole and nfs compatibility bug in rexecd.c Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >Number: 2593 >Category: bin >Synopsis: [small] security hole and nfs compatibility bug in rexecd.c >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jan 26 03:20:01 PST 1997 >Last-Modified: >Originator: Julian Assange >Organization: >Release: FreeBSD 3.0-CURRENT i386 >Environment: >Description: rexecd.c performs a chdir(home) as root rather than as user, possibly allowing the rexecd.c client access to directories they would have otherwise been barred from. The condition also has the effect of breaking all nfs mounted home directories where root is mapped to non-root, and the home directory is o-x. Additionally the buffer overflow in error() I reported earlier does not exist (I somehow managed (ADD?;) to mixup the order of the arguments in my head, swapping err<->buf). >How-To-Repeat: >Fix: --- src/libexec/rexecd/rexecd.c~ Sun Jan 26 21:48:35 1997 +++ src/libexec/rexecd/rexecd.c Sun Jan 26 22:05:03 1997 @@ -66,9 +66,9 @@ /*VARARGS1*/ int error(); -char username[20] = "USER="; -char homedir[64] = "HOME="; -char shell[64] = "SHELL="; +char username[MAXLOGNAME+5+1] = "USER="; +char homedir[MAXPATHLEN+5+1] = "HOME="; +char shell[MAXPATHLEN+6+1] = "SHELL="; char path[sizeof(_PATH_DEFPATH) + sizeof("PATH=")] = "PATH="; char *envinit[] = {homedir, shell, path, username, 0}; @@ -213,10 +213,6 @@ syslog(LOG_INFO, "login from %s as %s", remote, user); - if (chdir(pwd->pw_dir) < 0) { - error("No remote directory.\n"); - exit(1); - } (void) write(2, "\0", 1); if (port) { (void) pipe(pv); @@ -276,6 +272,10 @@ cp++; else cp = pwd->pw_shell; + if (chdir(pwd->pw_dir) < 0) { + perror("bad remote directory.\n"); + exit(1); + } execl(pwd->pw_shell, cp, "-c", cmdbuf, 0); perror(pwd->pw_shell); exit(1); @@ -289,7 +289,7 @@ char buf[BUFSIZ]; buf[0] = 1; - (void) sprintf(buf+1, fmt, a1, a2, a3); + (void) snprintf(buf+1, sizeof(buf)-1, fmt, a1, a2, a3); (void) write(2, buf, strlen(buf)); } >Audit-Trail: >Unformatted: