Date: Sat, 23 Aug 1997 03:38:30 +0200 (MEST) From: pruess@ZEDAT.FU-Berlin.DE (Gunnar Pruessner) To: freebsd-security@FreeBSD.ORG Subject: /etc/shells in pwd.db Message-ID: <m0x259q-00MPBiC@Komma.ZEDAT.FU-Berlin.DE>
next in thread | raw e-mail | index | archive | help
Hi! Recently I wanted to create a pwd.db file for an anonymous ftp account. Whenever I created such a file, I found /etc/shells in it. This is because getusershell(3) in pw_scan.c uses stdio, that left its buffer somewhere in the memory. And occasionally the db(3) calls in pwd_mkdb.c reuse even this memory. I think this is a (small) security hole, because all bad guys on my ftp server would be able to choose a username (for their attacks) in /etc/pwd.db that is allowed to login if I don't remove the shell-entries in the "template" for the anon-ftp-pwd.db. I inserted a setbuf(fp, NULL) in getusershell.c to avoid buffering and linked getusershell.o to pwd_mkdb instead of the library function. What do you think about that? Gunnar
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0x259q-00MPBiC>