From owner-freebsd-bugs Mon Sep 23 16:10:09 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA24818 for bugs-outgoing; Mon, 23 Sep 1996 16:10:09 -0700 (PDT) Received: (from gnats@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id QAA24802; Mon, 23 Sep 1996 16:10:05 -0700 (PDT) Resent-Date: Mon, 23 Sep 1996 16:10:05 -0700 (PDT) Resent-Message-Id: <199609232310.QAA24802@freefall.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@freefall.FreeBSD.org, dillon@backplane.com Received: from apollo.backplane.com (apollo.backplane.com [204.156.134.254]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id QAA24238 for ; Mon, 23 Sep 1996 16:08:36 -0700 (PDT) Received: (dillon@localhost) by apollo.backplane.com (8.7.5/8.6.5) id QAA06496; Mon, 23 Sep 1996 16:08:26 -0700 (PDT) Message-Id: <199609232308.QAA06496@apollo.backplane.com> Date: Mon, 23 Sep 1996 16:08:26 -0700 (PDT) From: dillon@backplane.com Reply-To: dillon@backplane.com To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: bin/1672: rshd assumes hp->h_name from gethostbyaddr() valid after iruserok() call Sender: owner-bugs@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Note: There was a bad value `medium' for the field `>Severity:'. It was set to the default value of `serious'. >Number: 1672 >Category: bin >Synopsis: rshd makes assumptions regarding gethostbyaddr() and iruserok() >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Sep 23 16:10:03 PDT 1996 >Last-Modified: >Originator: Matthew Dillon >Organization: >Release: FreeBSD 2.1-STABLE i386 >Environment: FreeBSD 2.1.5-stable >Description: Sep 23 15:54:29 tick rshd[532]: lookupx flea.best.net Sep 23 15:54:29 tick rshd[532]: lookupy flea.best.net Sep 23 15:54:29 tick rshd[532]: lookupz ne.com Sep 23 15:54:29 tick rshd[532]: root@ne.com as root: permission denied. cmd='ls' (start around line 448 of /usr/src/libexec/rshd/rshd.c) syslog(LOG_INFO|LOG_AUTH, "lookupy %s", hostname); if (errorstr || (pwd->pw_expire && time(NULL) >= pwd->pw_expire) || (pwd->pw_passwd != 0 && *pwd->pw_passwd != '\0' && iruserok(fromp->sin_addr.s_addr, pwd->pw_uid == 0, remuser, locuser) < 0)) { syslog(LOG_INFO|LOG_AUTH, "lookupz %s", hostname); if (__rcmd_errstr) syslog(LOG_INFO|LOG_AUTH, >How-To-Repeat: It would appear that iruserok blows away the 'hostname' variable. The problem appears to result in incorrect log lines on rsh failures. It appears to occur when the domain of the originator is the same as the domain of the server host. >Fix: I suggest putting the eqivalent of a: hostname = strdup(hostname); after the hostname is resolved. >Audit-Trail: >Unformatted: