The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[linux-security] shadow-971001


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 10 Jul 1998 18:02:52 -0500 (EST)
From: High Tide <[email protected]>
To: [email protected]
Subject: [linux-security] shadow-971001

I think I may have found a security weakness w/ login in shadow-971001.  I
can't imagine this being a large problem if no one has run into it yet,
but I know that's not the way to run security.

It seems that after the user has been authenticated, it makes a call to
setup_uid_gid to change the userID, and (for systems which support
multiple concurrent groups), make a call to initgroups before changing the
UID.  if initgroups fails (apparently, EPERM || ENOMEM), setup_uid_gid
returns -1, however is still running as root.  Main() does not check a
return from setup_uid_gid, and should continue processing, and execute a
shell, as root.

Tell me I'm missing something...

I appologize for being out of coding long enough to put together a patch
and contact the _right_ people before hand (I'm getting back though),
however if this does in fact need to be patched, it should be as simple as
what's done in su.c from the same package:

Change login.c:960 from
      setup_uid_gid(&pwent, is_console);
to:
      if (setup_uid_gid(&pwent, is_console))
              exit(1);

Sean

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe [email protected] < /dev/null

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру