From: Takashi Yano <takashi.yano@nifty.ne.jp>
To: cygwin@cygwin.com
Subject: [bug: login] login command with -f flag fails to switch user account.
Date: Wed, 13 Jun 2018 17:01:00 -0000 [thread overview]
Message-ID: <20180614000248.ddf33c4bf1ee219388db1b65@nifty.ne.jp> (raw)
Hi,
I have found the login command with -f flag fails to switch
user account correctly.
This causes a severe security problem. User can get console
having cyg_server rights without password by following steps.
Prepare:
0.1. Install rsh-sever and rsh with inetutils packages.
0.2. Set them up to work properly.
Steps:
1.1. Make ~/.rhosts with line 'localhost'
1.2. Execute 'rlogin localhost'.
Now you can get the cyg_server rights.
This is caused by bug of login command. With the settings
above, rlogind is executed as cyg_server account. If .rhosts
is valid, rlogind executes login command with -f flag.
This should switch the user account to the user specified.
However, login command fails to switch the account.
As a result, shell is executed as cyg_server account
instead of specified user account.
I looked into this problem, and found the bug is in login.c.
The account information of targeted user is set to a pointer:
struct passwd *pwd;
by calling getpwnam(username).
This pointer points the system static area. This area is
overwritten with the account information of current user,
i.e. cyg_server, by calling getpwuid(uid) in isROOT_UID().
getpwnam() and getpwuid() seems to share the same system area.
login calls setuid(pwd->pw_uid) and setgid(pwd->pw_gid) to
switch the account, however area pointed by pwd is already
overwritten to the information of current user.
As a result, the account switching is done to the same user
account (cyg_server) though it should be done to the account
specified.
Above is the mechanism of this bug.
--
Takashi Yano <takashi.yano@nifty.ne.jp>
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next reply other threads:[~2018-06-13 15:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-06-13 17:01 Takashi Yano [this message]
2018-06-17 6:22 ` Takashi Yano
2018-06-17 22:31 ` Takashi Yano
2018-06-17 22:31 ` Takashi Yano
2018-06-18 14:48 ` Corinna Vinschen
2018-06-19 2:50 ` Yaakov Selkowitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180614000248.ddf33c4bf1ee219388db1b65@nifty.ne.jp \
--to=takashi.yano@nifty.ne.jp \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).