Re: Weird and insecure su problem: FIXED

To: debian-user@lists.debian.org
Subject: Re: Weird and insecure su problem: FIXED
From: Pigeon <jah.pigeon@ukonline.co.uk>
Date: Sat, 16 Nov 2002 20:44:41 +0000
Message-id: <[🔎] k29dtu4c998ngo3ml5ei9baca0576atnvb@4ax.com>
Reply-to: jah.pigeon@ukonline.co.uk
In-reply-to: <[🔎] 20021115182611.GB5476@corrosive.hertford.ox.ac.uk>
References: <[🔎] 20021115182611.GB5476@corrosive.hertford.ox.ac.uk>

On Fri, 15 Nov 2002 18:26:11 +0000, Glyn Kennington
<glyn.kennington@hertford.oxford.ac.uk> wrote:

>Pigeon wrote:
>> >And the `not an octal number' error suggest broken permissions somewhere.
>> It does, doesn't it? That was Microsoft's fault for their LF/CR line
>> break standard. In order to get my Linux box to boot again I had to
>> manually copy in the files from
>> dists/slink/main/disks-i386/2.1.11.1-1999.09.08/base2_1.tgz. Because I
>> couldn't run tar & gzip, I had to unpack it with WinZip on my Windoze
>> box. This resulted in every text file having LF/CR line breaks in,
>> including /root/.profile, the source of this particular error.
>
>I was under the impression that tar and gzip (for DOS/Windows) were included
>on the CD.  (At least, this was true of potato, maybe not for slink.)  So it
>should be possible to extract the files straight to Unix linebreak format,
>rather than munging it to the DOS one.  I haven't got the Woody .iso's to
>hand, so I can't check if they've got the necessary tools.

The slink single CD has gzip for DOS but not tar. Since a .tar.gz is
simply a gzipped .tar, and WinZip doesn't (as far as I can tell)
inspect the files at all until it has unzipped it and reached the
stage of extracting the tar, this doesn't help. I suppose I could have
burst the tar by hand with Norton Utilities, but I'd rather not...

The point is that WinZip is broken. An archiver shouldn't modify the
files it's [un]archiving. But I didn't realise until it was too late.
So even if the slink CD had had tar for DOS, I wouldn't have
installed/used it, as I thought that the app I already had installed
would work.

>However, it's possible that su is vulnerable to a buffer overflow or similar
>here.  My understanding of your description is that, when presented with an
>encrypted password it can't understand, it lets the user in automatically.
>This is probably not a security hole in itself (an attacker would need to
>have a user's account already, and be able to reliably overwrite sections of
>a root-owned file with garbage), but potentially worrying nonetheless.

I've grabbed the slink su source - from a very brief look (2 mins) the
su code itself looks OK but may possibly rely on some library code
which isn't. But that is only a vague impression from a casual glance.
A more thorough investigation is on my "to do" list.

>> To fix it, I simply
>> copied /etc/passwd to /etc/shadow. It works now. Cool! Thanks.
>
>Hmm, sounds like you haven't enabled shadow passwords. 

That's on my "to do" list as well. Good job I hadn't done it yet!

Reply to:

References:
- Re: Weird and insecure su problem: FIXED
  - From: Glyn Kennington <glyn.kennington@hertford.oxford.ac.uk>

Prev by Date: Re: Weird and insecure su problem: FIXED
Next by Date: segmentation fault - XEphem
Previous by thread: Re: Weird and insecure su problem: FIXED
Next by thread: Re: Weird and insecure su problem: FIXED
Index(es):
- Date
- Thread