Date: Wed, 16 Oct 1996 15:24:47 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: Guido van Rooij <guido@gvr.win.tue.nl>, Assar Westerlund <assar@sics.se> Cc: freebsd-security@FreeBSD.org Subject: Re: bin/1805: Bug in ftpd Message-ID: <Pine.BSF.3.95.961016151749.19361E-100000@alive.ampr.ab.ca> In-Reply-To: <5laftm6aj1.fsf@assaris.sics.se>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 16 Oct 1996, Guido van Rooij wrote: > Assar Westerlund wrote: > > > > Some what other programs should we check to see that they really call > > endpwent? > > The ones that call getpw*. No, only the ones that call getpwent(3) _or_ call setpassent(3) or setpwent(3). Things like getpwnam call endpwent before they return. On 16 Oct 1996, Assar Westerlund wrote: > guido@gvr.win.tue.nl (Guido van Rooij) writes: > > > guido@gvr.win.tue.nl (Guido van Rooij) writes: > > > > > After the setuid, I will be able to make it dump core, or even better > > > > > use `ptrace' and then login will still have the file descriptor > > > > > pointing to /etc/spwd.db open and I can make it read the complete > > > > > shadow file. > > > > > > > > endpwent closes the spwd.db if I'm right so that would be impossible. > > > > > > Of course, it should call endpwent and endpwent should zero any > > > incriminating memory, but it doesn't do that now. > > > > Yes it does. Check the code. Is the "yes it does" referring to endpwent being called or to endpwent zeroing memory? endpwent is being called in ftpd (indirectly), but I don't see where endpwent is zeroing memory. Even if it was zeroing its memory, the DB routines are the ones that are leaving the junk behind.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961016151749.19361E-100000>