From owner-freebsd-security  Tue Oct 15 17:33:42 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id RAA21259
          for security-outgoing; Tue, 15 Oct 1996 17:33:42 -0700 (PDT)
Received: from assaris.sics.se ([130.237.225.157])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA21253
          for <freebsd-security@FreeBSD.org>; Tue, 15 Oct 1996 17:33:36 -0700 (PDT)
Received: (from assar@localhost) by assaris.sics.se (8.7.5/8.7.3) id CAA01593; Wed, 16 Oct 1996 02:15:29 +0200 (MET DST)
To: guido@gvr.win.tue.nl (Guido van Rooij)
Cc: marcs@znep.com, freebsd-security@FreeBSD.org
Subject: Re: bin/1805: Bug in ftpd
References: <199610151609.SAA04691@gvr.win.tue.nl>
Mime-Version: 1.0 (generated by tm-edit 7.68)
Content-Type: text/plain; charset=US-ASCII
From: Assar Westerlund <assar@sics.se>
Date: 16 Oct 1996 02:15:23 +0200
In-Reply-To: guido@gvr.win.tue.nl's message of Tue, 15 Oct 1996 18:09:59 +0200 (MET DST)
Message-ID: <5l7mor7ois.fsf@assaris.sics.se>
Lines: 12
X-Mailer: Gnus v5.2.40/Emacs 19.34
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

guido@gvr.win.tue.nl (Guido van Rooij) writes:
> > After the setuid, I will be able to make it dump core, or even better
> > use `ptrace' and then login will still have the file descriptor
> > pointing to /etc/spwd.db open and I can make it read the complete
> > shadow file.
> 
> endpwent closes the spwd.db if I'm right so that would be impossible.

Of course, it should call endpwent and endpwent should zero any
incriminating memory, but it doesn't do that now.

/assar