So, is it FreeBSD policy to ignore security bug reports? I sent
the following bug report to [EMAIL PROTECTED] on Feb. 19th, 2005 and
it still hasn't been acted on. This total lack of action on an
extremely simple (and silly) three year old bug doesn't give one the
warm fuzzies. Heck, it took 48 hours to get a response from a security
officer, and another 24 hours to get something from the guilty
developer.
From: [EMAIL PROTECTED] (John Nemeth)
Date: Sat, 19 Feb 2005 21:46:42 -0800
To: [EMAIL PROTECTED]
Subject: rexecd root lockout
I'm working on converting NetBSD's rexecd to use PAM and I was
looking at FreeBSD's rexecd for ideas. In the process I noticed that
FreeBSD's version of rexecd is supposed to disallow its use by uid 0.
However, there is a bug in the PAM conversion of FreeBSD's rexecd.c
that disables that feature. The change was made in revision 1.29 of
rexecd on May 2, 2002. The problem is around line 192 and exists in
the latest version. As far as I can tell the problem affects all
FreeBSD 5.x releases. The problem is that the following line:
if ((pwd->pw_uid == 0 && no_uid_0) || *pwd->pw_passwd == '\0' ||
was changed to:
if ((pwd = getpwnam(user)) == NULL || (pwd->pw_uid = 0 && no_uid_0) ||
Note that the second version assigns 0 to pwd->pw_uid instead of
comparing it thus forcing the uid 0 test to always fail. The fix is to
change the second line to:
if ((pwd = getpwnam(user)) == NULL || (pwd->pw_uid == 0 && no_uid_0) ||
Note that I haven't tested any of this and found it by reading the
code. The fix is also untested, but given the simplicity it should be
fine.
_______________________________________________
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
