Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/5/84; site godot.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!princeton!astrovax!godot!bruce From: bruce@godot.UUCP (Bruce Nemnich) Newsgroups: net.bugs.4bsd Subject: getpwent(3) bug -- security hole Message-ID: <182@godot.UUCP> Date: Wed, 19-Sep-84 14:52:44 EDT Article-I.D.: godot.182 Posted: Wed Sep 19 14:52:44 1984 Date-Received: Tue, 25-Sep-84 05:24:17 EDT Distribution: net Organization: Thinking Machines, Cambridge, MA Lines: 59 There was some discussion a few months ago about a problem with null entries in /etc/passwd. These can be caused by running chfn or chsh on a passwd file which has a blank line, often mistakenly left at the end of the file by humans. It presents a gaping security hole if it happens. The problem is in getpwent(3). There are two parts to my fix: the first keeps a newline from getting in a field in the returned structure if not all fields are filled out on the passwd line, and the second ignores leading whitespace and blank lines. *** /tmp/,RCSt1014083 Wed Sep 19 14:38:06 1984 --- getpwent.c Wed Sep 19 14:08:15 1984 *************** *** 28,34 pwskip(p) register char *p; { ! while( *p && *p != ':' ) ++p; if( *p ) *p++ = 0; return(p); --- 28,34 ----- pwskip(p) register char *p; { ! while( *p && *p != ':' && *p != '\n') ++p; if( *p ) *p++ = 0; return(p); *************** *** 43,51 if( (pwf = fopen( PASSWD, "r" )) == NULL ) return(0); } ! p = fgets(line, BUFSIZ, pwf); ! if (p==NULL) ! return(0); passwd.pw_name = p; p = pwskip(p); passwd.pw_passwd = p; --- 43,55 ----- if( (pwf = fopen( PASSWD, "r" )) == NULL ) return(0); } ! do { ! p = fgets(line, BUFSIZ, pwf); ! if (p==NULL) ! return(0); ! /* skip whiteness at beginning of line */ ! while (*p == '\t' || *p == ' ' || *p == '\n') p++; ! } while (*p == '\0'); /* skip blank lines */ passwd.pw_name = p; p = pwskip(p); passwd.pw_passwd = p; -- --Bruce Nemnich, Thinking Machines Corporation, Cambridge, MA {astrovax,cca,harvard,ihnp4,ima,mit-eddie,...}!godot!bruce, BJN@MIT-MC.ARPA