Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 18 May 2010 21:11:26 GMT
From:      Paul Rascagneres <rootbsd@r00ted.com>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   i386/146718: We can create a file in /etc with simple user using chpass
Message-ID:  <201005182111.o4ILBQIM025066@www.freebsd.org>
Resent-Message-ID: <201005182120.o4ILK1Eq006241@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         146718
>Category:       i386
>Synopsis:       We can create a file in /etc with simple user using chpass
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-i386
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 18 21:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator:     Paul Rascagneres
>Release:        FreeBSD 8.0
>Organization:
-
>Environment:
FreeBSD freebsd-laptop 8.0-STABLE FreeBSD 8.0-STABLE #1: Thu May 13 18:40:45 UTC 2010     root@freebsd-laptop:/usr/obj/usr/src/sys/POL_DTRACE  i386
>Description:
We can create a file in /etc by killing chpass. Example on my website : http://www.r00ted.com/doku.php?id=0day_freebsd_chpass


Example :

On xterm 1 :
[pol@freebsd-laptop]$ export EDITOR=vi
[pol@freebsd-laptop]$ chpass
#Changing user information for pol.
Shell: /usr/local/bin/bash
Full Name: User &
Office Location:
Office Phone:
Home Phone:
Other information:

On xterm 2 :
[pol@freebsd-laptop ~]$ ps aux | grep chpass
root   1736  0.0  0.1  3504  1276   2  SN+  11:56PM   0:00.00 chpass
pol    1739  0.0  0.1  3496  1260   4  SN+  11:56PM   0:00.00 grep chpass
[pol@freebsd-laptop ~]$ pstree 1736
-+= 01736 root chpass
 \--- 01737 pol vi /etc/pw.Iu09aU
[pol@freebsd-laptop ~]$ kill -9 01736

After kill the file is not remove from /etc :

[pol@freebsd-laptop ~]$ ls -l /etc/pw.Iu09aU 
-rw-------  1 pol  pol  147 May 17 23:56 /etc/pw.Iu09aU


I think it's strange to create temp file in /etc... Why put it on /tmp?
>How-To-Repeat:
I mention it on full description.
>Fix:
I think you need to modify the tempname in the file /usr/src/lib/libutil/pw_util.c to put it on /tmp

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201005182111.o4ILBQIM025066>