Date: Mon, 23 Sep 1996 16:08:26 -0700 (PDT) From: dillon@backplane.com To: FreeBSD-gnats-submit@freebsd.org Subject: bin/1672: rshd assumes hp->h_name from gethostbyaddr() valid after iruserok() call Message-ID: <199609232308.QAA06496@apollo.backplane.com> Resent-Message-ID: <199609232310.QAA24802@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
Note: There was a bad value `medium' for the field `>Severity:'.
It was set to the default value of `serious'.
>Number: 1672
>Category: bin
>Synopsis: rshd makes assumptions regarding gethostbyaddr() and iruserok()
>Confidential: no
>Severity: serious
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Mon Sep 23 16:10:03 PDT 1996
>Last-Modified:
>Originator: Matthew Dillon
>Organization:
>Release: FreeBSD 2.1-STABLE i386
>Environment:
FreeBSD 2.1.5-stable
>Description:
Sep 23 15:54:29 tick rshd[532]: lookupx flea.best.net
Sep 23 15:54:29 tick rshd[532]: lookupy flea.best.net
Sep 23 15:54:29 tick rshd[532]: lookupz ne.com
Sep 23 15:54:29 tick rshd[532]: root@ne.com as root: permission denied. cmd='ls'
(start around line 448 of /usr/src/libexec/rshd/rshd.c)
syslog(LOG_INFO|LOG_AUTH, "lookupy %s", hostname);
if (errorstr ||
(pwd->pw_expire && time(NULL) >= pwd->pw_expire) ||
(pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' &&
iruserok(fromp->sin_addr.s_addr, pwd->pw_uid == 0,
remuser, locuser) < 0)) {
syslog(LOG_INFO|LOG_AUTH, "lookupz %s", hostname);
if (__rcmd_errstr)
syslog(LOG_INFO|LOG_AUTH,
>How-To-Repeat:
It would appear that iruserok blows away the 'hostname' variable. The
problem appears to result in incorrect log lines on rsh failures. It
appears to occur when the domain of the originator is the same as the
domain of the server host.
>Fix:
I suggest putting the eqivalent of a:
hostname = strdup(hostname);
after the hostname is resolved.
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199609232308.QAA06496>