[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

[linux-security] shadow-971001

From: High Tide <hightide ginch org>
To: linux-security redhat com
Subject: [linux-security] shadow-971001
Date: Fri, 10 Jul 1998 18:02:52 -0500 (EST)

I think I may have found a security weakness w/ login in shadow-971001.  I
can't imagine this being a large problem if no one has run into it yet,
but I know that's not the way to run security.

It seems that after the user has been authenticated, it makes a call to
setup_uid_gid to change the userID, and (for systems which support
multiple concurrent groups), make a call to initgroups before changing the
UID.  if initgroups fails (apparently, EPERM || ENOMEM), setup_uid_gid
returns -1, however is still running as root.  Main() does not check a
return from setup_uid_gid, and should continue processing, and execute a
shell, as root.

Tell me I'm missing something...

I appologize for being out of coding long enough to put together a patch
and contact the _right_ people before hand (I'm getting back though),
however if this does in fact need to be patched, it should be as simple as
what's done in su.c from the same package:

Change login.c:960 from
      setup_uid_gid(&pwent, is_console);
to:
      if (setup_uid_gid(&pwent, is_console))
              exit(1);

Sean

Follow-Ups:
- [linux-security] Re: shadow-971001
  - From: M Taylor

References:
- [linux-security] Re: RedHat 5.X Security Book
  - From: Grant Taylor

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]