Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 27 Oct 1997 12:44:34 -0800 (PST)
From:      kwhite@csi.uottawa.ca
To:        freebsd-gnats-submit@FreeBSD.ORG
Subject:   bin/4867: incorrect NIS netgroup information may be used for passwd entries
Message-ID:  <199710272044.MAA24335@hub.freebsd.org>
Resent-Message-ID: <199710272050.MAA24990@hub.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         4867
>Category:       bin
>Synopsis:       incorrect NIS netgroup information may be used for passwd entries
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 27 12:50:01 PST 1997
>Last-Modified:
>Originator:     Keith White
>Organization:
SITE, University of Ottawa
>Release:        2.2.2
>Environment:
FreeBSD mail2.csi.uottawa.ca 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #0: Fri Oct 24 16:54:19 EDT 1997     kwhite@mail2.csi.uottawa.ca:/usr/src/sys/compile/MAIL2  i386

>Description:
the innetgr() helper routine _listmatch() in
/usr/src/lib/libc/gen/getnetgrent.c returns false positives
for netgroups that match the regular expression '^.*group$'
(substitute for group).  This allows for "surprising" entries in the
password file to be used.

For example, if your password file contains entries like this:

+@baduser:::::::::/bin/abusemsg
+@user:::::::::/bin/sh

a user in the "user" netgroup *may* get the "baduser" shell.
(depends on the order of the user's entry in netgroups.byuser)
>How-To-Repeat:
create NIS users a and b
place user a in netgroup baduser
place user b in netgroup user
Add the above two lines to the password file
Notice how user b is treated like a "baduser"

>Fix:
The following _listmatch() routine may work better:

static int _listmatch(list, group, len)
char *list, *group;
int len;
{
        char *ptr = list;
        int glen = strlen(group);
 
        while ( (ptr = strstr(ptr, group)) ) {
 
                ptr += glen; 
                if ((ptr-glen == list || ptr[-glen-1] == ',') &&
                        (*ptr == ',' || *ptr == '\0'))
                        return(1);
        }

        return(0);
}

>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199710272044.MAA24335>