i386/146718: We can create a file in /etc with simple user using
chpass
Paul Rascagneres
rootbsd at r00ted.com
Tue May 18 21:20:02 UTC 2010
>Number: 146718
>Category: i386
>Synopsis: We can create a file in /etc with simple user using chpass
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-i386
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 18 21:20:01 UTC 2010
>Closed-Date:
>Last-Modified:
>Originator: Paul Rascagneres
>Release: FreeBSD 8.0
>Organization:
-
>Environment:
FreeBSD freebsd-laptop 8.0-STABLE FreeBSD 8.0-STABLE #1: Thu May 13 18:40:45 UTC 2010 root at freebsd-laptop:/usr/obj/usr/src/sys/POL_DTRACE i386
>Description:
We can create a file in /etc by killing chpass. Example on my website : http://www.r00ted.com/doku.php?id=0day_freebsd_chpass
Example :
On xterm 1 :
[pol at freebsd-laptop]$ export EDITOR=vi
[pol at freebsd-laptop]$ chpass
#Changing user information for pol.
Shell: /usr/local/bin/bash
Full Name: User &
Office Location:
Office Phone:
Home Phone:
Other information:
On xterm 2 :
[pol at freebsd-laptop ~]$ ps aux | grep chpass
root 1736 0.0 0.1 3504 1276 2 SN+ 11:56PM 0:00.00 chpass
pol 1739 0.0 0.1 3496 1260 4 SN+ 11:56PM 0:00.00 grep chpass
[pol at freebsd-laptop ~]$ pstree 1736
-+= 01736 root chpass
\--- 01737 pol vi /etc/pw.Iu09aU
[pol at freebsd-laptop ~]$ kill -9 01736
After kill the file is not remove from /etc :
[pol at freebsd-laptop ~]$ ls -l /etc/pw.Iu09aU
-rw------- 1 pol pol 147 May 17 23:56 /etc/pw.Iu09aU
I think it's strange to create temp file in /etc... Why put it on /tmp?
>How-To-Repeat:
I mention it on full description.
>Fix:
I think you need to modify the tempname in the file /usr/src/lib/libutil/pw_util.c to put it on /tmp
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-i386
mailing list