From owner-freebsd-hackers Sat Sep 7 00:51:21 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA13709 for hackers-outgoing; Sat, 7 Sep 1996 00:51:21 -0700 (PDT) Received: from irz301.inf.tu-dresden.de (irz301.inf.tu-dresden.de [141.76.1.11]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA13703 for ; Sat, 7 Sep 1996 00:51:18 -0700 (PDT) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by irz301.inf.tu-dresden.de (8.6.12/8.6.12-s1) with ESMTP id JAA28706; Sat, 7 Sep 1996 09:51:01 +0200 Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id JAA25999; Sat, 7 Sep 1996 09:51:00 +0200 Received: (from j@localhost) by uriah.heep.sax.de (8.7.5/8.6.9) id JAA08466; Sat, 7 Sep 1996 09:42:55 +0200 (MET DST) From: J Wunsch Message-Id: <199609070742.JAA08466@uriah.heep.sax.de> Subject: Re: SECURITY HOLE in FreeBSD 2.1.5 ????????!!!!!!! To: freebsd-hackers@freebsd.org (FreeBSD hackers) Date: Sat, 7 Sep 1996 09:42:55 +0200 (MET DST) Cc: kallio@cc.jyu.fi (Seppo Kallio), wosch@cs.tu-berlin.de (Wolfram Schneider) Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: from Seppo Kallio at "Sep 7, 96 09:31:39 am" X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E X-Mailer: ELM [version 2.4ME+ PL17 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Never post to both, -hackers and -current. Never. Almost all people on -current are also subscribed on -hackers, and those who aren't aren't interested in the other stuff at all. Don't post security holes to -hackers or -current. Post them to -security, to -core, or to security-officer@freebsd.org. As Seppo Kallio wrote: > > I think pwd_mkdb is making a temporaly file /etc/master.passwd.orig with > read permissions to all. It indeed creates this file, but you should have UTSL'ed before. It is deliberately created with ``insecure'' permissions, and it is the new copy of /etc/passwd if the -p option has been specified. Thus, it doesn't contain passwords. > We cannot add users to the system when someone is using passwd command. > It is really big problem in a node having 4000 accounts when we try to add > 1000 account now when new students come in start of September. > Passwd command should not lock the passwd files for the entire time after > user type passwd to the time he/she succeeds to type his/hers new passwd! Of course, the passwd command *should* lock the master password file while modifications are in progress. However, you are perhaps interested in Guido's ``incremental update'' modifications: revision 1.11 date: 1996/07/01 19:38:27; author: guido; state: Exp; lines: +218 -133 Implement incremental passwd database updates. This is done by ading a '-u' option to pwd_mkdb and adding this option to utilities invoking it. Further, the filling of both the secure and insecure databases has been merged into one loop giving also a performance improvemnet. Note that I did *not* change the adduser command. I don't read perl (it is a write only language anyway). The change will drastically improve performance for passwd and friends with large passwd files. Vipw's performance won't change. In order to do that some kind of diff should be made between the old and new master.passwd and depending the amount of changes, an incremental or complete update of the databases should be agreed upon. Btw., i found a real security hole while browsing through the sources: adduser backs up the contents of master.passwd into a world readable file in case pwd_mkdb(8) returned an error. Wolfram, can you fix this please (by setting umask(066) first, i think)? -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)