Bugtraq mailing list archives
Re: GNU finger 1.37 executes ~/.fingerrc with gid root
From: cwe () it kth se (Christian Wettergren)
Date: Mon, 20 Mar 95 11:26:04 +0100
| There is a bug in the `lib/site/userinfo.c' module of GNU finger version | 1.37 allowing any user on a system to execute arbitrary commands with gid | root from ~/.fingerrc. The problem is that GNU finger *first* changes its | userid thus giving away root privileges and *then* tries to change its gid | which will not succeed. I would feel much more comfortable if the return values of setuid() and setgid() was checked. The current setup assumes the daemon is run as root. If it is not (it wasn't at our site of "historical" reasons) it will keep it's spawned identity, not changing it at all. Without discovering this. | /* Set uid/gid */ | - setuid (user->pw_uid); | setgid (user->pw_gid); | | /* Set default directory */ | chdir (user->pw_dir); | | /* Run ~/.fingerrc through user shell */ | #ifdef FINGERRC_SHELL | execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL); | #else | execlp (user->pw_shell, user->pw_shell, "-c", file, NULL); | #endif /Christian Wettergren, cwe () it kth se
Current thread:
- Re: Non-PK encryption not vulnerable via low key length?!, (continued)
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Perry E. Metzger (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Stan Barber (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! smb () research att com (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John F. Haugh II (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! sameer (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! John F. Haugh II (Mar 25)
- Re: Non-PK encryption not vulnerable via low key length?! Software Test Account (Mar 16)
- Re: Non-PK encryption not vulnerable via low key length?! Jake Hill (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John B. Brown (Mar 17)
- GNU finger 1.37 executes ~/.fingerrc with gid root Thomas Roessler (Mar 17)
- Re: GNU finger 1.37 executes ~/.fingerrc with gid root Christian Wettergren (Mar 20)
- cancel subscription Saeid Sadeghi (Mar 20)
- Re: Non-PK encryption not vulnerable via low key length?! Julian Assange (Mar 17)
- nfsbug leaving file systems mounted Dr. Frederick B. Cohen (Mar 18)
- GNU finger 1.37 executes ~/.fingerrc with gid root Thomas Roessler (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! John B. Brown (Mar 17)
- Re: Non-PK encryption not vulnerable via low key length?! Perry E. Metzger (Mar 18)