From owner-freebsd-security Sun May 11 09:20:29 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id JAA02971 for security-outgoing; Sun, 11 May 1997 09:20:29 -0700 (PDT) Received: from bsd.fs.bauing.th-darmstadt.de (bsd.fs.bauing.th-darmstadt.de [130.83.63.241]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA02966 for ; Sun, 11 May 1997 09:20:27 -0700 (PDT) Received: from campa.panke.de (anonymous214.ppp.cs.tu-berlin.de [130.149.17.214]) by bsd.fs.bauing.th-darmstadt.de (8.8.5/8.8.5) with ESMTP id SAA03246; Sun, 11 May 1997 18:20:16 +0200 (MET DST) Received: (from wosch@localhost) by campa.panke.de (8.8.5/8.6.12) id SAA25008; Sun, 11 May 1997 18:20:09 +0200 (MET DST) To: Wolfram Schneider Cc: Gnuchev Fedor , freebsd-security@FreeBSD.ORG Subject: Re: Linux UID/GID 'Feature' References: From: Wolfram Schneider Date: 11 May 1997 18:20:06 +0200 In-Reply-To: Wolfram Schneider's message of 11 May 1997 17:21:39 +0200 Message-ID: Lines: 53 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Wolfram Schneider writes: > Gnuchev Fedor writes: > > > While trying to make a user entry in the /etc/passwd file unrecognized > > > so I could demonstrate the use of valid UIDs, I placed a # in front of the UID. > > > My theory was that this would make it an invalid number and cause Linux > > > to give an authentication failure. (This worked as expect on SunOS 4.1.4) > > > But then we tried to su to that user and were rewarded by being dumped > > > to UID 0. It didn't recognize the UID so it defaulted to 0. Cool huh? > > Never put an non-numeric character in UID field! Ok, here is a patch for pwd_mkdb: Index: pw_scan.c =================================================================== RCS file: /usr/cvs/src/usr.sbin/pwd_mkdb/pw_scan.c,v retrieving revision 1.5 diff -u -r1.5 pw_scan.c --- pw_scan.c 1996/06/20 19:19:29 1.5 +++ pw_scan.c 1997/05/11 16:00:33 @@ -42,6 +42,7 @@ #include +#include #include #include #include @@ -77,6 +78,10 @@ goto fmt; if(p[0]) pw->pw_fields |= _PWF_UID; id = atol(p); + for(; *p != '\0'; p++) + if (!isdigit(*p)) + goto fmt; + if (root && id) { warnx("root uid should be 0"); return (0); @@ -91,6 +96,10 @@ goto fmt; if(p[0]) pw->pw_fields |= _PWF_GID; id = atol(p); + for(; *p != '\0'; p++) + if (!isdigit(*p)) + goto fmt; + if (id > USHRT_MAX) { warnx("%s > max gid value (%d)", p, USHRT_MAX); /* return (0); This should not be fatal! */ -- Wolfram Schneider http://www.apfel.de/~wosch/