Date: Thu, 1 Jun 1995 19:10:07 -0700 From: wpaul@ctr.columbia.edu To: freebsd-bugs Subject: bin/473: getpwent.c/NIS bug and fix Message-ID: <199506020210.TAA23102@freefall.cdrom.com> In-Reply-To: Your message of Thu, 1 Jun 1995 22:06:29 -0400 <199506020206.WAA00680@bootserv.ctr.columbia.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
>Number: 473
>Category: bin
>Synopsis: getpwent.c/NIS bug and fix
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs (FreeBSD bugs mailing list)
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jun 1 19:10:05 1995
>Originator: Bill Paul
>Organization:
Center for Telecommunications Research, Columbia University
>Release: FreeBSD 2.0-BUILT-19950527 i386
>Environment:
FreeBSD 2.0.5-ALPHA
i386sx/16Mhz system with 387sx FPU
4 MB RAM
20 MB XT-class hard disk
generic VGA
3c503 ethernet (8-bit)
>Description:
The +@netgroup/-@netgroup NIS password overrides can fail in
some cases due to a subtle bug. Specifically, if you override
an NIS user's shell, /usr/bin/login and /usr/bin/su (and probably
other commands) can end up with bogus data for the pw_shell
member of the passwd structure *if* the do an endpwent(),
thereby preventing logins.
This happpens because the text fields in the passwd structure
(pw_name, pw_passwd, pw_gecos, pw_class, pw_dir and pw_shell)
are returned to the calling program as pointers to dycamically
allocated buffers, rather than pointers to static buffers as
they should be. Once endpwent() is called, the dynamic buffers
are free()ed, which invalidates the data returned by the
library functions.
>How-To-Repeat:
1) enable NIS
2) put an entry in the master.passwd file that overrides
the shell field for a user in the NIS database, like this:
+testuser:::::::::/bin/csh
3) attempt to login as user 'testuser'. The result will be
that /usr/bin/login will end up with some random value
for pw_shell and the login will fail.
>Fix:
This is a context diff for /usr/src/lib/libc/gen/getpwent.c
that fixes the problem. A more elegant solution would be
preferable, and I intend implement one for 2.1 just as soon
as the code lockout for 2.0.5 is lifted.
*** getpwent.c.orig Thu Jun 1 21:16:00 1995
--- getpwent.c Thu Jun 1 21:20:01 1995
***************
*** 496,501 ****
--- 496,510 ----
_pw_breakout_yp(struct passwd *pw, char *result, int master)
{
char *s;
+ static char name[UT_NAMESIZE+2], passwd[_PASSWORD_LEN], class[1024];
+ static char gecos[1024], dir[MAXPATHLEN], shell[MAXPATHLEN];
+
+ strcpy(name, pw->pw_name); pw->pw_name = (char *)&name;
+ strcpy(passwd, pw->pw_passwd); pw->pw_passwd = (char *)&passwd;
+ strcpy(class, pw->pw_class); pw->pw_class = (char *)&class;
+ strcpy(gecos, pw->pw_gecos); pw->pw_gecos = (char *)&gecos;
+ strcpy(dir, pw->pw_dir); pw->pw_dir = (char *)&dir;
+ strcpy(shell, pw->pw_shell); pw->pw_shell = (char *)&shell;
s = strsep(&result, ":"); /* name */
if(!(pw->pw_fields & _PWF_NAME) || (pw->pw_name[0] == '+')) {
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199506020210.TAA23102>