[bug: login] login command with -f flag fails to switch user account.

[Takashi Yano <takashi.yano@nifty.ne.jp>]

Hi,

I have found the login command with -f flag fails to switch
user account correctly.

This causes a severe security problem. User can get console
having cyg_server rights without password by following steps.

Prepare:
0.1. Install rsh-sever and rsh with inetutils packages.
0.2. Set them up to work properly.

Steps:
1.1. Make ~/.rhosts with line 'localhost'
1.2. Execute 'rlogin localhost'.

Now you can get the cyg_server rights.

This is caused by bug of login command. With the settings
above, rlogind is executed as cyg_server account. If .rhosts
is valid, rlogind executes login command with -f flag.

This should switch the user account to the user specified.
However, login command fails to switch the account.
As a result, shell is executed as cyg_server account
instead of specified user account.

I looked into this problem, and found the bug is in login.c.

The account information of targeted user is set to a pointer:
struct passwd *pwd;
by calling getpwnam(username).

This pointer points the system static area. This area is
overwritten with the account information of current user,
i.e. cyg_server, by calling getpwuid(uid) in isROOT_UID().

getpwnam() and getpwuid() seems to share the same system area.

login calls setuid(pwd->pw_uid) and setgid(pwd->pw_gid) to
switch the account, however area pointed by pwd is already
overwritten to the information of current user.

As a result, the account switching is done to the same user
account (cyg_server) though it should be done to the account
specified.

Above is the mechanism of this bug.

-- 
Takashi Yano <takashi.yano@nifty.ne.jp>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple