Return to BSD News archive
Path: sserve!newshost.anu.edu.au!munnari.oz.au!ihnp4.ucsd.edu!agate!agate!usenet From: dleeds@MCS.COM (Daniel Leeds) Newsgroups: comp.os.386bsd.announce Subject: Security bug: BSD login.c version "5.73 (Berkeley) 6/29/91" Date: 25 May 1994 13:01:39 -0700 Organization: MCSNet Subscriber Account, Chicago's First Public-Access Internet! Lines: 45 Sender: cgd@agate.berkeley.edu Approved: 386bsd-announce-request@agate.berkeley.edu Message-ID: <2s013j$ll4@Mercury.mcs.com> NNTP-Posting-Host: agate.berkeley.edu [ Moderator's comment: normally i'm hesitant to post things such as this; in general, security problems should be reported to responsible parties, not the net. However, this has already hit the net, elsewhere, the bug has been fixed in NetBSD and FreeBSD, and the version of login at ftp.uu.net:pub/networking/bsd-net2/usr.bin/login has the bug fixed, as well. -- cgd ] [ Article crossposted from comp.security.misc,comp.security.unix ] [ Author was Stephen Usher ] [ Posted on Wed, 25 May 1994 13:16:36 GMT ] Thanks to one of the users of my MiNTOS package I have tracked down a bug in the BSD-net2 version of login.c which allows anyone who has an account on the machine to gain root priviledges. The version of login.c has the following sccsid line:- static char sccsid[] = "@(#)login.c 5.73 (Berkeley) 6/29/91"; The bug is that it doesn't reset the root login flag after an unsuccessful attempt to login as root. The upshot of this is that if a person first attempts to login as root, fails, then logs in as him/herself, he/she has a uid of 0! The fix is to add the line:- rootlogin = 0; After the code:- if (pwd && !rval) break; I don't know if there are any other versions of this code which also have the same problem. I suggest that if you have a Net2-BSD derived system you check login.c and fix it ASAP. Steve -- --------------------------------------------------------------------------- Computer Systems Administrator, Dept. of Earth Sciences, Oxford University. E-Mail: steve@uk.ac.ox.earth (JANET) steve@earth.ox.ac.uk (Internet). Tel:- Oxford (0865) 282110 (UK) or +44 865 282110 (International).