From owner-freebsd-security  Fri Jan  8 05:05:16 1999
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id FAA20414
          for freebsd-security-outgoing; Fri, 8 Jan 1999 05:05:16 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id FAA20399;
          Fri, 8 Jan 1999 05:05:03 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id OAA26932;
	Fri, 8 Jan 1999 14:04:21 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id OAA03702;
	Fri, 8 Jan 1999 14:04:21 +0100 (MET)
Message-ID: <19990108140417.E348@follo.net>
Date: Fri, 8 Jan 1999 14:04:17 +0100
From: Eivind Eklund <eivind@FreeBSD.ORG>
To: freebsd-security@FreeBSD.ORG
Cc: wollman@FreeBSD.ORG
Subject: Re: 3.0 rel pwd_mkdb problem(patch)
References: <19990108003140.A13277@puck.nether.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.93.2i
In-Reply-To: <19990108003140.A13277@puck.nether.net>; from Jared Mauch on Fri, Jan 08, 1999 at 12:31:40AM -0500
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, Jan 08, 1999 at 12:31:40AM -0500, Jared Mauch wrote:
> 	I've had a problem recently with people breaking root
> and installing accounts with *no* uid in their pw file entry,
> that way everything comes up with zero for the uid, giving
> the user root privs.  I'm not sure how they're obtaining root yet,
> but i've patched pwd_mkdb so they can't rebuild the pw file with
> this being the case (which it should check for anyways).  
> 
> here's the patch:

Note that this can simpler be written as

Index: pw_scan.c
===================================================================
RCS file: /home/ncvs/src/usr.sbin/pwd_mkdb/pw_scan.c,v
retrieving revision 1.6
diff -u -r1.6 pw_scan.c
--- pw_scan.c	1997/10/10 06:27:06	1.6
+++ pw_scan.c	1999/01/08 12:55:05
@@ -78,7 +78,12 @@
 
 	if (!(p = strsep(&bp, ":")))			/* uid */
 		goto fmt;
-	if(p[0]) pw->pw_fields |= _PWF_UID;
+	if (p[0])
+		pw->pw_fields |= _PWF_UID;
+	else {
+		warnx("no uid for user %s", pw->pw_name);
+		return (0);
+	}
 	id = atol(p);
 	if (root && id) {
 		warnx("root uid should be 0");

by hanging off the old field check that wollman added when we added
'pw_fields'.  This seems to indicate that he considered an empty UID
as a valid case.  I don't see why, so I would appreciate Garrett would
followup and tell me :-) passwd(5) does not indicate that an empty UID
field is valid.

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message