[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Linux UID/GID 'Feature'



>Approved-By: aleph1@UNDERGROUND.ORG
>Date: 	Sun, 11 May 1997 13:39:21 -0400
>Reply-To: Jon Lewis <jlewis@INORGANIC5.FDT.NET>
>Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
>From: Jon Lewis <jlewis@INORGANIC5.FDT.NET>
>Subject:      Re: Linux UID/GID 'Feature'
>X-To:         David Phillips <phillips@PCISYS.NET>
>X-cc:         linux-security@redhat.com
>To: BUGTRAQ@NETSPACE.ORG
>
>On Sat, 10 May 1997, David Phillips wrote:
>> While trying to make a user entry in the /etc/passwd file unrecognized
>> so I could demonstrate the use of valid UIDs, I placed a # in front of
the UID.
...
>> But then we tried to su to that user and were rewarded by being dumped
>> to UID 0.  It didn't recognize the UID so it defaulted to 0.  Cool huh?
>> He also noted that it works the same for GID.  ...

I recognize this bug.  It is caused by the getpw*() routines doing an
atoi() without checking that the field actually was fully numeric.  I
had thought that current libc's all had this fixed.  I guess this
wasn't.

In any case, NObody would EVER put something like THAT in a passwd file
that's really in use, would they now?  ;-)  [Yes, mistakes happen, and
this should have been "defensively" programmed against.]

Joe Yao				jsdy@cais.com - Joseph S. D. Yao



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []