From owner-freebsd-security  Wed Oct 16 11:15:56 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id LAA22591
          for security-outgoing; Wed, 16 Oct 1996 11:15:56 -0700 (PDT)
Received: from assaris.sics.se (assaris.sics.se [193.10.66.108])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id LAA22584
          for <freebsd-security@FreeBSD.org>; Wed, 16 Oct 1996 11:15:54 -0700 (PDT)
Received: (from assar@localhost) by assaris.sics.se (8.7.5/8.7.3) id UAA02696; Wed, 16 Oct 1996 20:15:16 +0200 (MET DST)
To: guido@gvr.win.tue.nl (Guido van Rooij)
Cc: marcs@znep.com, freebsd-security@FreeBSD.org
Subject: Re: bin/1805: Bug in ftpd
References: <199610161608.SAA07582@gvr.win.tue.nl>
Mime-Version: 1.0 (generated by tm-edit 7.68)
Content-Type: text/plain; charset=US-ASCII
From: Assar Westerlund <assar@sics.se>
Date: 16 Oct 1996 20:15:14 +0200
In-Reply-To: guido@gvr.win.tue.nl's message of Wed, 16 Oct 1996 18:08:59 +0200 (MET DST)
Message-ID: <5laftm6aj1.fsf@assaris.sics.se>
Lines: 20
X-Mailer: Gnus v5.2.40/Emacs 19.34
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

guido@gvr.win.tue.nl (Guido van Rooij) writes:
> > guido@gvr.win.tue.nl (Guido van Rooij) writes:
> > > > After the setuid, I will be able to make it dump core, or even better
> > > > use `ptrace' and then login will still have the file descriptor
> > > > pointing to /etc/spwd.db open and I can make it read the complete
> > > > shadow file.
> > > 
> > > endpwent closes the spwd.db if I'm right so that would be impossible.
> > 
> > Of course, it should call endpwent and endpwent should zero any
> > incriminating memory, but it doesn't do that now.
> 
> Yes it does. Check the code.

You're right.

Some what other programs should we check to see that they really call
endpwent?

/assar