GNU finger 1.37 executes ~/.fingerrc with gid root
Thomas Roessler (roessler@sobolev.cologne.de)
Fri, 17 Mar 1995 12:42:02 +0100 (MET)
There is a bug in the `lib/site/userinfo.c' module of GNU finger version
1.37 allowing any user on a system to execute arbitrary commands with gid
root from ~/.fingerrc. The problem is that GNU finger *first* changes its
userid thus giving away root privileges and *then* tries to change its gid
which will not succeed.
Greetings, Thomas
*** userinfo.c.orig Fri Mar 17 12:12:28 1995
--- userinfo.c Fri Mar 17 12:12:37 1995
***************
*** 241,262 ****
dup (fileno (*streamp));
}
if (fileno (*streamp) != 2)
{
close (2);
dup (fileno (*streamp));
}
/* Set uid/gid */
- setuid (user->pw_uid);
setgid (user->pw_gid);
/* Set default directory */
chdir (user->pw_dir);
/* Run ~/.fingerrc through user shell */
#ifdef FINGERRC_SHELL
execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
#else
execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
#endif
--- 241,262 ----
dup (fileno (*streamp));
}
if (fileno (*streamp) != 2)
{
close (2);
dup (fileno (*streamp));
}
/* Set uid/gid */
setgid (user->pw_gid);
+ setuid (user->pw_uid);
/* Set default directory */
chdir (user->pw_dir);
/* Run ~/.fingerrc through user shell */
#ifdef FINGERRC_SHELL
execlp (FINGERRC_SHELL, FINGERRC_SHELL, "-c", file, NULL);
#else
execlp (user->pw_shell, user->pw_shell, "-c", file, NULL);
#endif
--
roessler@rhein.iam.uni-bonn.de * roessler@sobolev.cologne.de
MURPHY'S LAW:
If anything can go wrong, it will.