From owner-freebsd-bugs Mon Oct 27 12:50:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA25001 for bugs-outgoing; Mon, 27 Oct 1997 12:50:06 -0800 (PST) (envelope-from owner-freebsd-bugs) Received: (from gnats@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA24990; Mon, 27 Oct 1997 12:50:02 -0800 (PST) (envelope-from gnats) Resent-Date: Mon, 27 Oct 1997 12:50:02 -0800 (PST) Resent-Message-Id: <199710272050.MAA24990@hub.freebsd.org> Resent-From: gnats (GNATS Management) Resent-To: freebsd-bugs Resent-Reply-To: FreeBSD-gnats@FreeBSD.ORG, kwhite@csi.uottawa.ca Received: (from nobody@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA24335; Mon, 27 Oct 1997 12:44:34 -0800 (PST) (envelope-from nobody) Message-Id: <199710272044.MAA24335@hub.freebsd.org> Date: Mon, 27 Oct 1997 12:44:34 -0800 (PST) From: kwhite@csi.uottawa.ca To: freebsd-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: www-1.0 Subject: bin/4867: incorrect NIS netgroup information may be used for passwd entries Sender: owner-freebsd-bugs@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk >Number: 4867 >Category: bin >Synopsis: incorrect NIS netgroup information may be used for passwd entries >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Oct 27 12:50:01 PST 1997 >Last-Modified: >Originator: Keith White >Organization: SITE, University of Ottawa >Release: 2.2.2 >Environment: FreeBSD mail2.csi.uottawa.ca 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #0: Fri Oct 24 16:54:19 EDT 1997 kwhite@mail2.csi.uottawa.ca:/usr/src/sys/compile/MAIL2 i386 >Description: the innetgr() helper routine _listmatch() in /usr/src/lib/libc/gen/getnetgrent.c returns false positives for netgroups that match the regular expression '^.*group$' (substitute for group). This allows for "surprising" entries in the password file to be used. For example, if your password file contains entries like this: +@baduser:::::::::/bin/abusemsg +@user:::::::::/bin/sh a user in the "user" netgroup *may* get the "baduser" shell. (depends on the order of the user's entry in netgroups.byuser) >How-To-Repeat: create NIS users a and b place user a in netgroup baduser place user b in netgroup user Add the above two lines to the password file Notice how user b is treated like a "baduser" >Fix: The following _listmatch() routine may work better: static int _listmatch(list, group, len) char *list, *group; int len; { char *ptr = list; int glen = strlen(group); while ( (ptr = strstr(ptr, group)) ) { ptr += glen; if ((ptr-glen == list || ptr[-glen-1] == ',') && (*ptr == ',' || *ptr == '\0')) return(1); } return(0); } >Audit-Trail: >Unformatted: