From owner-freebsd-security  Wed Oct 16 09:09:37 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id JAA11544
          for security-outgoing; Wed, 16 Oct 1996 09:09:37 -0700 (PDT)
Received: from gvr.win.tue.nl (root@gvr.win.tue.nl [131.155.210.19])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id JAA11535
          for <freebsd-security@FreeBSD.org>; Wed, 16 Oct 1996 09:09:31 -0700 (PDT)
Received: by gvr.win.tue.nl (8.6.13/1.53)
    id SAA07582; Wed, 16 Oct 1996 18:08:59 +0200
From: guido@gvr.win.tue.nl (Guido van Rooij)
Message-Id: <199610161608.SAA07582@gvr.win.tue.nl>
Subject: Re: bin/1805: Bug in ftpd
To: assar@sics.se (Assar Westerlund)
Date: Wed, 16 Oct 1996 18:08:59 +0200 (MET DST)
Cc: marcs@znep.com, freebsd-security@FreeBSD.org
In-Reply-To: <5l7mor7ois.fsf@assaris.sics.se> from Assar Westerlund at "Oct 16, 96 02:15:23 am"
X-Mailer: ELM [version 2.4ME+ PL17 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Assar Westerlund wrote:
> guido@gvr.win.tue.nl (Guido van Rooij) writes:
> > > After the setuid, I will be able to make it dump core, or even better
> > > use `ptrace' and then login will still have the file descriptor
> > > pointing to /etc/spwd.db open and I can make it read the complete
> > > shadow file.
> > 
> > endpwent closes the spwd.db if I'm right so that would be impossible.
> 
> Of course, it should call endpwent and endpwent should zero any
> incriminating memory, but it doesn't do that now.

Yes it does. Check the code.

-Guido