From owner-freebsd-security Fri Aug 22 18:38:33 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id SAA14628 for security-outgoing; Fri, 22 Aug 1997 18:38:33 -0700 (PDT) Received: from Komma.ZEDAT.FU-Berlin.DE (komma.fddi2.fu-berlin.de [160.45.2.6]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id SAA14623 for ; Fri, 22 Aug 1997 18:38:31 -0700 (PDT) Received: by Komma.ZEDAT.FU-Berlin.DE (Smail3.2) id ; Sat, 23 Aug 1997 03:38:30 +0200 (MEST) Message-Id: From: pruess@ZEDAT.FU-Berlin.DE (Gunnar Pruessner) Subject: /etc/shells in pwd.db To: freebsd-security@FreeBSD.ORG Date: Sat, 23 Aug 1997 03:38:30 +0200 (MEST) X-Mailer: ELM [version 2.4 PL24 ME8d] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Hi! Recently I wanted to create a pwd.db file for an anonymous ftp account. Whenever I created such a file, I found /etc/shells in it. This is because getusershell(3) in pw_scan.c uses stdio, that left its buffer somewhere in the memory. And occasionally the db(3) calls in pwd_mkdb.c reuse even this memory. I think this is a (small) security hole, because all bad guys on my ftp server would be able to choose a username (for their attacks) in /etc/pwd.db that is allowed to login if I don't remove the shell-entries in the "template" for the anon-ftp-pwd.db. I inserted a setbuf(fp, NULL) in getusershell.c to avoid buffering and linked getusershell.o to pwd_mkdb instead of the library function. What do you think about that? Gunnar