Date: Sun, 26 Jan 1997 22:17:20 +1100 (EST) From: Julian Assange <proff@iq.org> To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org Subject: bin/2593: <Synopsis of the problem (one line)> [small] security hole and nfs compatibility bug in rexecd.c Message-ID: <199701261117.WAA16474@profane.iq.org> Resent-Message-ID: <199701261120.DAA02330@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 2593
>Category: bin
>Synopsis: [small] security hole and nfs compatibility bug in rexecd.c
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Jan 26 03:20:01 PST 1997
>Last-Modified:
>Originator: Julian Assange
>Organization:
>Release: FreeBSD 3.0-CURRENT i386
>Environment:
>Description:
rexecd.c performs a chdir(home) as root rather than as
user, possibly allowing the rexecd.c client access to
directories they would have otherwise been barred from.
The condition also has the effect of breaking all nfs
mounted home directories where root is mapped to non-root,
and the home directory is o-x. Additionally the buffer
overflow in error() I reported earlier does not exist (I
somehow managed (ADD?;) to mixup the order of the arguments
in my head, swapping err<->buf).
>How-To-Repeat:
>Fix:
--- src/libexec/rexecd/rexecd.c~ Sun Jan 26 21:48:35 1997
+++ src/libexec/rexecd/rexecd.c Sun Jan 26 22:05:03 1997
@@ -66,9 +66,9 @@
/*VARARGS1*/
int error();
-char username[20] = "USER=";
-char homedir[64] = "HOME=";
-char shell[64] = "SHELL=";
+char username[MAXLOGNAME+5+1] = "USER=";
+char homedir[MAXPATHLEN+5+1] = "HOME=";
+char shell[MAXPATHLEN+6+1] = "SHELL=";
char path[sizeof(_PATH_DEFPATH) + sizeof("PATH=")] = "PATH=";
char *envinit[] =
{homedir, shell, path, username, 0};
@@ -213,10 +213,6 @@
syslog(LOG_INFO, "login from %s as %s", remote, user);
- if (chdir(pwd->pw_dir) < 0) {
- error("No remote directory.\n");
- exit(1);
- }
(void) write(2, "\0", 1);
if (port) {
(void) pipe(pv);
@@ -276,6 +272,10 @@
cp++;
else
cp = pwd->pw_shell;
+ if (chdir(pwd->pw_dir) < 0) {
+ perror("bad remote directory.\n");
+ exit(1);
+ }
execl(pwd->pw_shell, cp, "-c", cmdbuf, 0);
perror(pwd->pw_shell);
exit(1);
@@ -289,7 +289,7 @@
char buf[BUFSIZ];
buf[0] = 1;
- (void) sprintf(buf+1, fmt, a1, a2, a3);
+ (void) snprintf(buf+1, sizeof(buf)-1, fmt, a1, a2, a3);
(void) write(2, buf, strlen(buf));
}
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199701261117.WAA16474>