*BSD News Article 84610


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!feed1.news.erols.com!news.bbnplanet.com!cpk-news-hub1.bbnplanet.com!EU.net!Germany.EU.net!Dortmund.Germany.EU.net!interface-business.de!usenet
From: j@ida.interface-business.de (J Wunsch)
Newsgroups: comp.unix.admin,comp.unix.bsd.misc
Subject: Re: adduser
Date: 9 Dec 1996 16:47:14 GMT
Organization: interface business GmbH, Dresden
Lines: 25
Message-ID: <58hfqi$87c@innocence.interface-business.de>
References: <5824sf$a6v@masala.cc.uh.edu>
Reply-To: joerg_wunsch@interface-business.de (Joerg Wunsch)
NNTP-Posting-Host: ida.interface-business.de
X-Newsreader: knews 0.9.6
X-Phone: +49-351-31809-14
X-Fax: +49-351-3361187
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E
Xref: euryale.cc.adfa.oz.au comp.unix.admin:51602 comp.unix.bsd.misc:1744

yichen@hermes.cs.uh.edu ( Yi Chen ) wrote:

> For security purposes, no characters are printed when entering passwords.
> 
> Insecure PATH at /etc/adm/lib/util.pl line 228, <STDIN> line 2.

You need to quote at leat +/- 5 lines around this spot.

>    e) I also wrote a simple C program as following, compiled it and suid to
>       root, and same error msg as c).

> 2) I also tried sudo and visudo the /etc/sudoers. RUN 
>    /usr/local/bin/sudo /usr/sbin/adduser, got following

Of course, none of them are supposed to work with Perl. :-)  Perl is
smarter, it detects the suidness nevertheless, and still applies the
taint checks.  It is _very_ wise from Perl to do so, you might have
opened a can of worms otherwise.  (The ``insecure path'' is a strong
hint that you might get fooled by malicous users, hence you should not
try working around it, but instead try making the path secure.)

-- 
J"org Wunsch					       Unix support engineer
joerg_wunsch@interface-business.de       http://www.interface-business.de/~j