Re: [linux-alert] Serious Security hole in getpwnam ()
As it appears only very few developers are on these lists, here's an
important security alert. I've cut it down to essentials, in case everyone
who _is_ on the lists decides to do the same - full text on request.
firstname.lastname@example.org (Jeff Uphoff) wrote on 28.05.96 in <199605281502.LAA00952@tarsier.cv.nrao.edu>:
> This is a *very* serious hole that affects Linux-based NIS client
> systems. A more formal alert will be posted once a fixed version of
> libc has been officially released.
> For those that don't want to (or can't) patch and recompile their own
> fixed version of libc, I recommend the *immediate* removal of all "stub"
> NIS username entries, of the forms described in the attached message,
> from /etc/passwd.
> From: Arno Schaefer <email@example.com>
> I just discovered a major security hole in the getpwnam() function
> in the current libc (5.3.12, probably present in all previous
> versions). It can be exploited if there is an entry in the form
> or similar in /etc/passwd (an entry to admit or exclude a single user
> from the NIS passwd file).
> By typing 'su +username' or 'su -- -username' resp. you become root
> without being asked for a passwd.
> Content-Disposition: inline; filename="getpwnam.patch"
> Index: getpwnam.c
> RCS file: /home/work/cvs/linux/libc/pwd/getpwnam.c,v
> retrieving revision 1.5
> diff -c -r1.5 getpwnam.c
> *** getpwnam.c 1996/05/22 15:49:37 1.5
> - - --- getpwnam.c 1996/05/23 06:59:32
> *** 53,58 ****
> - - --- 53,63 ----
> register FILE *stream;
> register struct passwd *p;
> + #ifdef YP
> + if (name == '-' || name == '+')
> + return NULL;
> + #endif
> if (info == NULL)
> info = __pwdalloc();