Skip Menu |
 

Download (untitled) / with headers
text/plain 3.3KiB
From roth@segfault.cso.uiuc.edu Thu Mar 9 12:37:55 2000
Received: from MIT.EDU (SOUTH-STATION-ANNEX.MIT.EDU [18.72.1.2])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id MAA11162
for <bugs@RT-11.MIT.EDU>; Thu, 9 Mar 2000 12:37:51 -0500 (EST)
Received: from segfault.cso.uiuc.edu by MIT.EDU with SMTP
id AA01587; Thu, 9 Mar 00 12:37:33 EST
Received: (from roth@localhost)
by segfault.cso.uiuc.edu (8.10.0/8.10.0) id e29HbZf35468;
Thu, 9 Mar 2000 11:37:35 -0600
Message-Id: <20000309113734.A15932@segfault.cso.uiuc.edu>
Date: Thu, 9 Mar 2000 11:37:34 -0600
From: "Mark D. Roth" <roth@uiuc.edu>
To: krbdev@MIT.EDU, krb5-bugs@MIT.EDU
Subject: AIX 4.2.1 bug

Show quoted text
>Number: 831
>Category: pending
>Synopsis: AIX 4.2.1 bug
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Mar 9 12:38:00 EST 2000
>Last-Modified: Tue Apr 18 20:13:12 EDT 2000
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Tue Apr 18 20:13:00 2000
State-Changed-Why:

fixed by raeburn

Show quoted text
>Unformatted:
--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii

There's a subtle but potentially serious bug in the AIX-specific
section of the login.krb5 code which can cause a user to be logged in
as a user other than himself. We only discovered the problem by using
some custom code modifications, but it's definitely a potential
problem in the login.krb5 code which should be fixed.

The problem is that the global pwd value is set early on to point to
the user's passwd entry, then the AIX getuserattr() function is
called, and then the value of pwd is used again afterwards. However,
getuserattr() is unsafe to use in conjunction with the getpwent()
routines (presumably because it uses the same static memory location).
From the AIX getuserattr() manpage:

Attention: These subroutines and the setpwent and setgrent subroutines
should not be used simultaneously. The results can be unpredictable.

I've attached a patch relative to krb5-1.0.6 which fixes this problem,
but it looks like the problem still exists in 1.1.1 as well.

Please let me know if you have any questions or problems.

--
Mark D. Roth <roth@uiuc.edu>
System Administrator, CCSO Production Systems Group
http://www.uiuc.edu/ph/www/roth

--d6Gm4EdcadzBjdND
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="krb5-1.0.6-aix-fixes.diff"

--- krb5-1.0.6/src/appl/bsd/login.c Mon Mar 6 21:49:22 2000
+++ krb5-1.0.6-orig/src/appl/bsd/login.c Mon Mar 6 21:50:14 2000
@@ -2531,9 +2531,21 @@
#ifdef _IBMR2
update_ref_count(int adj)
{
+ struct passwd *save_pwd;
static char *empty = "\0";
char *grp;
int i;
+
+ /* save pwd before calling getuserattr() */
+ save_pwd = (struct passwd *)malloc(sizeof(struct passwd));
+ save_pwd->pw_name = strdup(pwd->pw_name);
+ save_pwd->pw_passwd = strdup(pwd->pw_passwd);
+ save_pwd->pw_uid = pwd->pw_uid;
+ save_pwd->pw_gid = pwd->pw_gid;
+ save_pwd->pw_gecos = strdup(pwd->pw_gecos);
+ save_pwd->pw_dir = strdup(pwd->pw_dir);
+ save_pwd->pw_shell = strdup(pwd->pw_shell);
+ pwd = save_pwd;

/* Update reference count on all user's temporary groups */
setuserdb(S_READ|S_WRITE);

--d6Gm4EdcadzBjdND--
Download (untitled) / with headers
text/plain 1.3KiB
From raeburn@MIT.EDU Thu Mar 16 00:46:06 2000
Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28])
by rt-11.mit.edu (8.9.3/8.9.3) with SMTP id AAA01318
for <bugs@RT-11.MIT.EDU>; Thu, 16 Mar 2000 00:46:05 -0500 (EST)
Received: from DCL.MIT.EDU by MIT.EDU with SMTP
id AA10847; Thu, 16 Mar 00 00:24:47 EST
Received: (from raeburn@localhost) by dcl.mit.edu (8.9.3)
id AAA18421; Thu, 16 Mar 2000 00:23:12 -0500 (EST)
Message-Id: <tx1ln3jij40.fsf@mit.edu>
Date: 16 Mar 2000 00:23:11 -0500
From: Ken Raeburn <raeburn@MIT.EDU>
To: "Mark D. Roth" <roth@uiuc.edu>
Cc: krbdev@MIT.EDU, krb5-bugs@MIT.EDU
In-Reply-To: "Mark D. Roth"'s message of "Thu, 9 Mar 2000 11:37:34 -0600"
Subject: Re: AIX 4.2.1 bug
References: <20000309113734.A15932@segfault.cso.uiuc.edu>

Show quoted text
>Number: 832
>Category: pending
>Synopsis: Re: AIX 4.2.1 bug
>Confidential: yes
>Severity: serious
>Priority: medium
>Responsible: gnats-admin
>State: closed
>Class: sw-bug
>Submitter-Id: unknown
>Arrival-Date: Thu Mar 16 00:47:00 EST 2000
>Last-Modified: Tue Apr 18 20:13:50 EDT 2000
>Originator:
>Organization:
>Release:
>Environment:
>Description:
>How-To-Repeat:
>Fix:
>Audit-Trail:

State-Changed-From-To: open-closed
State-Changed-By: tlyu
State-Changed-When: Tue Apr 18 20:13:21 2000
State-Changed-Why:

was reply to [831]; closed.

Show quoted text
>Unformatted:
Thanks, I've put this patch in.