Skip site navigation (1)Skip section navigation (2) 
Date:      11 May 1997 18:20:06 +0200
From:      Wolfram Schneider <wosch@apfel.de>
To:        Wolfram Schneider <wosch@apfel.de>
Cc:        Gnuchev Fedor <qwe@ht.eimb.rssi.ru>, freebsd-security@FreeBSD.ORG
Subject:   Re: Linux UID/GID 'Feature'
Message-ID:  <p1ibu6i2d6x.fsf@campa.panke.de>
In-Reply-To: Wolfram Schneider's message of 11 May 1997 17:21:39 %2B0200
References:  <Pine.BSF.3.95q.970511134602.168C-100000@ht.eimb.rssi.ru> <p1iwwp65918.fsf@campa.panke.de>
index | next in thread | previous in thread | raw e-mail 

Wolfram Schneider <wosch@apfel.de> writes:
> Gnuchev Fedor <qwe@ht.eimb.rssi.ru> writes:
> > > While trying to make a user entry in the /etc/passwd file unrecognized
> > > so I could demonstrate the use of valid UIDs, I placed a # in front of the UID.
> > > My theory was that this would make it an invalid number and cause Linux
> > > to give an authentication failure.  (This worked as expect on SunOS 4.1.4)
> > > But then we tried to su to that user and were rewarded by being dumped
> > > to UID 0.  It didn't recognize the UID so it defaulted to 0.  Cool huh?
> 
> Never put an non-numeric character in UID field!

Ok, here is a patch for pwd_mkdb:

Index: pw_scan.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/pwd_mkdb/pw_scan.c,v
retrieving revision 1.5
diff -u -r1.5 pw_scan.c
--- pw_scan.c	1996/06/20 19:19:29	1.5
+++ pw_scan.c	1997/05/11 16:00:33
@@ -42,6 +42,7 @@
 
 #include <sys/param.h>
 
+#include <ctype.h>
 #include <err.h>
 #include <fcntl.h>
 #include <pwd.h>
@@ -77,6 +78,10 @@
 		goto fmt;
 	if(p[0]) pw->pw_fields |= _PWF_UID;
 	id = atol(p);
+	for(; *p != '\0'; p++)
+		if (!isdigit(*p))
+			goto fmt;
+
 	if (root && id) {
 		warnx("root uid should be 0");
 		return (0);
@@ -91,6 +96,10 @@
 		goto fmt;
 	if(p[0]) pw->pw_fields |= _PWF_GID;
 	id = atol(p);
+	for(; *p != '\0'; p++)
+		if (!isdigit(*p))
+			goto fmt;
+
 	if (id > USHRT_MAX) {
 		warnx("%s > max gid value (%d)", p, USHRT_MAX);
 		/* return (0); This should not be fatal! */

-- 
Wolfram Schneider    <wosch@apfel.de>    http://www.apfel.de/~wosch/
help

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?p1ibu6i2d6x.fsf>