cvs commit: src/libexec/rexecd rexecd.c

Jacques Vidrine nectar at FreeBSD.org
Mon Apr 4 08:51:27 PDT 2005 

On Apr 4, 2005, at 8:12 AM, Dag-Erling Smørgrav wrote:
> Jacques Vidrine <nectar at FreeBSD.org> writes:
>>   A separate bug was introduced at the same time.  The PAM library
>>   functions are called between the invocation of getpwnam(3) and the 
>> use
>>   of the returned static object.  Since many PAM library functions
>>   result in additional getpwnam(3) calls, the contents of the returned
>>   static object could be changed from under rexecd.  With this commit,
>>   getpwnam_r(3) is used instead.
>
> This is incorrect, because PAM may change the login name, so the
> struct passwd you got before calling PAM might not be the one you
> actually need.  The simplest fix is to revert this patch and instead
> add
>
>   pam_get_item(pamh, PAM_USER, &user);
>   pwd = getpwnam(user);
>
> after the PAM transaction.

Thanks, I understand what you are saying.  This bug existed prior to my 
commit, but it due to the bug that that commit fixes, it may have been 
masked in many situations.

The fix you suggest also will not work, since other interfaces are 
invoked between getpwnam() and the final usage of the result structure. 
  To be clear, we started with:

   pwd = getpwnam()
   if (pwd->pw_uid = 0)   <--- oops
   pam_authenticate etc   <--- underlying static struct passwd changes
   setlogin(pwd->pw_name) and other uses of static struct passwd
   pam_setcred etc        <--- possibly more changes to static data
   setuid(pwd->pw_uid) and other uses of static struct passwd

In -CURRENT we now have

   pwd = getpwnam_r()
   if (pwd->pw_uid == 0)
   pam_authenticate etc   <--- Now OK, we have our own struct passwd
   setlogin(pwd->pw_name) and other uses of local struct passwd
   pam_setcred etc        <--- Now OK, we have our own struct passwd
   setuid(pwd->pw_uid) and other uses of local struct passwd

You bring up that we need to lookup the user again after 
pam_authenticate.  So we will finally need:

   pwd = getpwnam_r()
   if (pwd->pw_uid == 0)
   pam_authenticate etc
   pwd = getpwnam_r(PAM_USER)  <--- user may have changed
   setlogin(pwd->pw_name)
   pam_setcred etc
   setuid(pwd->pw_uid)

Thanks for the pointer!  By the way, have you checked other PAM-using 
applications to make sure they do not make the same kinds of mistakes?

Cheers,
-- 
Jacques A Vidrine / NTT/Verio
nectar at celabo.org / jvidrine at verio.net / nectar at freebsd.org

More information about the cvs-all mailing list