Date: Wed, 16 Oct 1996 15:24:47 -0600 (MDT) From: Marc Slemko <marcs@znep.com> To: Guido van Rooij <guido@gvr.win.tue.nl>, Assar Westerlund <assar@sics.se> Cc: freebsd-security@FreeBSD.org Subject: Re: bin/1805: Bug in ftpd Message-ID: <Pine.BSF.3.95.961016151749.19361E-100000@alive.ampr.ab.ca> In-Reply-To: <5laftm6aj1.fsf@assaris.sics.se>
index | next in thread | previous in thread | raw e-mail
On Wed, 16 Oct 1996, Guido van Rooij wrote: > Assar Westerlund wrote: > > > > Some what other programs should we check to see that they really call > > endpwent? > > The ones that call getpw*. No, only the ones that call getpwent(3) _or_ call setpassent(3) or setpwent(3). Things like getpwnam call endpwent before they return. On 16 Oct 1996, Assar Westerlund wrote: > guido@gvr.win.tue.nl (Guido van Rooij) writes: > > > guido@gvr.win.tue.nl (Guido van Rooij) writes: > > > > > After the setuid, I will be able to make it dump core, or even better > > > > > use `ptrace' and then login will still have the file descriptor > > > > > pointing to /etc/spwd.db open and I can make it read the complete > > > > > shadow file. > > > > > > > > endpwent closes the spwd.db if I'm right so that would be impossible. > > > > > > Of course, it should call endpwent and endpwent should zero any > > > incriminating memory, but it doesn't do that now. > > > > Yes it does. Check the code. Is the "yes it does" referring to endpwent being called or to endpwent zeroing memory? endpwent is being called in ftpd (indirectly), but I don't see where endpwent is zeroing memory. Even if it was zeroing its memory, the DB routines are the ones that are leaving the junk behind.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961016151749.19361E-100000>