From owner-freebsd-security  Sun May 11 09:20:29 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id JAA02971
          for security-outgoing; Sun, 11 May 1997 09:20:29 -0700 (PDT)
Received: from bsd.fs.bauing.th-darmstadt.de (bsd.fs.bauing.th-darmstadt.de [130.83.63.241])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id JAA02966
          for <freebsd-security@FreeBSD.ORG>; Sun, 11 May 1997 09:20:27 -0700 (PDT)
Received: from campa.panke.de (anonymous214.ppp.cs.tu-berlin.de [130.149.17.214])
	by bsd.fs.bauing.th-darmstadt.de (8.8.5/8.8.5) with ESMTP id SAA03246;
	Sun, 11 May 1997 18:20:16 +0200 (MET DST)
Received: (from wosch@localhost) by campa.panke.de (8.8.5/8.6.12) id SAA25008; Sun, 11 May 1997 18:20:09 +0200 (MET DST)
To: Wolfram Schneider <wosch@apfel.de>
Cc: Gnuchev Fedor <qwe@ht.eimb.rssi.ru>, freebsd-security@FreeBSD.ORG
Subject: Re: Linux UID/GID 'Feature'
References: <Pine.BSF.3.95q.970511134602.168C-100000@ht.eimb.rssi.ru>
	<p1iwwp65918.fsf@campa.panke.de>
From: Wolfram Schneider <wosch@apfel.de>
Date: 11 May 1997 18:20:06 +0200
In-Reply-To: Wolfram Schneider's message of 11 May 1997 17:21:39 +0200
Message-ID: <p1ibu6i2d6x.fsf@campa.panke.de>
Lines: 53
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Wolfram Schneider <wosch@apfel.de> writes:
> Gnuchev Fedor <qwe@ht.eimb.rssi.ru> writes:
> > > While trying to make a user entry in the /etc/passwd file unrecognized
> > > so I could demonstrate the use of valid UIDs, I placed a # in front of the UID.
> > > My theory was that this would make it an invalid number and cause Linux
> > > to give an authentication failure.  (This worked as expect on SunOS 4.1.4)
> > > But then we tried to su to that user and were rewarded by being dumped
> > > to UID 0.  It didn't recognize the UID so it defaulted to 0.  Cool huh?
> 
> Never put an non-numeric character in UID field!

Ok, here is a patch for pwd_mkdb:

Index: pw_scan.c
===================================================================
RCS file: /usr/cvs/src/usr.sbin/pwd_mkdb/pw_scan.c,v
retrieving revision 1.5
diff -u -r1.5 pw_scan.c
--- pw_scan.c	1996/06/20 19:19:29	1.5
+++ pw_scan.c	1997/05/11 16:00:33
@@ -42,6 +42,7 @@
 
 #include <sys/param.h>
 
+#include <ctype.h>
 #include <err.h>
 #include <fcntl.h>
 #include <pwd.h>
@@ -77,6 +78,10 @@
 		goto fmt;
 	if(p[0]) pw->pw_fields |= _PWF_UID;
 	id = atol(p);
+	for(; *p != '\0'; p++)
+		if (!isdigit(*p))
+			goto fmt;
+
 	if (root && id) {
 		warnx("root uid should be 0");
 		return (0);
@@ -91,6 +96,10 @@
 		goto fmt;
 	if(p[0]) pw->pw_fields |= _PWF_GID;
 	id = atol(p);
+	for(; *p != '\0'; p++)
+		if (!isdigit(*p))
+			goto fmt;
+
 	if (id > USHRT_MAX) {
 		warnx("%s > max gid value (%d)", p, USHRT_MAX);
 		/* return (0); This should not be fatal! */

-- 
Wolfram Schneider    <wosch@apfel.de>    http://www.apfel.de/~wosch/