From owner-freebsd-bugs  Fri Jul  9  7:50: 9 1999
Delivered-To: freebsd-bugs@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP id 897981560D
	for <freebsd-bugs@FreeBSD.org>; Fri,  9 Jul 1999 07:50:03 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) id HAA65567;
	Fri, 9 Jul 1999 07:50:03 -0700 (PDT)
	(envelope-from gnats@FreeBSD.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id D98AF14F23; Fri,  9 Jul 1999 07:44:04 -0700 (PDT)
Message-Id: <19990709144404.D98AF14F23@hub.freebsd.org>
Date: Fri,  9 Jul 1999 07:44:04 -0700 (PDT)
From: david@inty.net
To: freebsd-gnats-submit@freebsd.org
X-Send-Pr-Version: www-1.0
Subject: misc/12576: libc problem with getpw* functions using NIS
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org


>Number:         12576
>Category:       misc
>Synopsis:       libc problem with getpw* functions using NIS
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul  9 07:50:02 PDT 1999
>Closed-Date:
>Last-Modified:
>Originator:     David Hedley
>Release:        3.2-RELEASE
>Organization:
INTY
>Environment:
FreeBSD server.inty.net 3.2-RELEASE FreeBSD 3.2-RELEASE #0: Tue May 25 10:06:57 GMT 1999     david@server.inty.net:/usr/src/sys/compile/GENERIC+MODS  i386

>Description:

I'm seeing many errors in the logs of the form:

Jul  9 14:27:53 server ypserv[1268]: access to master.passwd.byuid denied -- client 127.0.0.1:2597 not privileged

This is caused by the following sequence of events:

1) program runs as root
2) calls getpwuid
3) closes all file descriptors
4) setuid(something other than root)
5) calls getpwuid

The first call to getpwuid sets the _gotmaster variable in getpwent.c
This makes all subsequent calls use the 'master.passwd' map
instead of 'passwd'. When the second call to getpwuid is made,
_yp_dobind determines that its socket has been closed and that it
needs to rebind, however it can no longer get a privileged port due to
no longer running as root.
However, it still tries to access the master.passwd map because
the _gotmaster variable has not been updated, resulting in the error
message shown above.

>How-To-Repeat:
Run Apache with SuEXEC enabled (this is how I noticed it originally).

Either that, or run the following on box using NIS:

#include <pwd.h>

int main(int argc, char **argv)
{
        int i;
        struct passwd *pw;

        pw = getpwuid(9998);
        setuid(99);
        for (i = 2; i < 200; i++) 
                close(i);
        pw = getpwuid(9999);
}

Ensure that UIDs (9998 and 9999) don't exist in your local password file

>Fix:

I've commented out the check in ypserv which checks for a secure port
for the moment - not a terribly good solution.

Either that or somehow, _getyppass must realise if the map lookup for
'master.passwd' has failed, it should reset _gotmaster and retry
with the 'passwd' map.


>Release-Note:
>Audit-Trail:
>Unformatted:


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message