From owner-freebsd-bugs Mon Jun 22 07:01:42 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id HAA04013 for freebsd-bugs-outgoing; Mon, 22 Jun 1998 07:01:42 -0700 (PDT) (envelope-from owner-freebsd-bugs@FreeBSD.ORG) Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id HAA04005 for ; Mon, 22 Jun 1998 07:01:40 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.8.8/8.8.5) id HAA27037; Mon, 22 Jun 1998 07:00:01 -0700 (PDT) Received: from ntu-kpi.kiev.ua (root@ntu-kpi.kiev.ua [195.178.136.20]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA03673 for ; Mon, 22 Jun 1998 06:58:14 -0700 (PDT) (envelope-from lx@hosix.ntu-kpi.kiev.ua) Received: from hosix.ntu-kpi.kiev.ua (hosix.ntu-kpi.kiev.ua [10.100.0.6]) by ntu-kpi.kiev.ua (8.8.8/8.7.3) with ESMTP id QAA11863 for ; Mon, 22 Jun 1998 16:57:46 +0300 (EEST) Received: from lx.hosix.ntu-kpi.kiev.ua (lx.hosix.ntu-kpi.kiev.ua [10.100.23.72]) by hosix.ntu-kpi.kiev.ua (some/some) with ESMTP id QAA26354 for ; Mon, 22 Jun 1998 16:57:37 +0300 (EEST) Received: (from lx@localhost) by lx.hosix.ntu-kpi.kiev.ua (unknown/hidden) id QAA13790; Mon, 22 Jun 1998 16:57:37 +0300 (EEST) Message-Id: <199806221357.QAA13790@lx.hosix.ntu-kpi.kiev.ua> Date: Mon, 22 Jun 1998 16:57:37 +0300 (EEST) From: Alexander Matey Reply-To: lx@hosix.ntu-kpi.kiev.ua To: FreeBSD-gnats-submit@FreeBSD.ORG X-Send-Pr-Version: 3.2 Subject: bin/7019: pwd.db almost always contains /etc/shells Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 7019 >Category: bin >Synopsis: pwd.db almost always contains /etc/shells >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Jun 22 07:00:00 PDT 1998 >Last-Modified: >Originator: Alexander Matey >Organization: National Technical University of Ukraine /KPI/ >Release: FreeBSD 2.2.6-STABLE i386 >Environment: FreeBSD lx.hosix.ntu-kpi.kiev.ua 2.2.6-STABLE FreeBSD 2.2.6-STABLE #0: Thu Jun 1 8 13:23:15 EEST 1998 root@lx.hosix.ntu-kpi.kiev.ua:/usr/src/sys/compile/LX i386 lx#lx[v2]/usr/src/usr.sbin/pwd_mkdb>ident pwd_mkdb.c pwd_mkdb.c: $Id: pwd_mkdb.c,v 1.15.2.7 1998/02/19 08:10:31 guido Exp $ >Description: pwd.db created by pwd_mkdb almost always contains the whole or the part of /etc/shells. It's usually ok unless pwd.db is going to be placed in ftp_root:/etc. It seems that calls to (dp->put)(dp, &key, &data, method) in pwd_mkdb.c while writing legal pwd records to hash database get memory malloced in /usr/src/lib/libc/gen/getusershell.c: initshells() in some manner written too. This memory is malloced in the call to setusershell() in /usr/src/usr.sbin/pwd_mkdb/pw_scan.c while checking the shell entry of the user "root". >How-To-Repeat: # cat > master.passwd root:*:0:0::0:0::/nowhere:/nowhere ftpown:*:101:101::0:0::/nowhere:/nowhere ^D # pwd_mkdb -d . master.passwd pwd_mkdb: warning, unknown root shell # strings pwd.db | more >Fix: 1) rename /etc/shells while building pwd.db for ftp_root:/etc 2) do not include "root" user in master.passwd 3) set username with uid 0 to "Root" :-) in master.passwd 3) use native ftpd built with -DINTERNAL_LS 4) do not put pwd.db in ftp_root:/etc at all - let ftp_root:/bin/ls produce numeric uids. 5) fix pwd_mkdb to prevent such behavior >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message