Re: Nasty SunOS initgroups() bug

Doug Hughes (Doug.Hughes@Eng.Auburn.EDU)
Wed, 15 May 1996 08:07:43 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Brian Mitchell: "Re: TCP SYN probe detection tool available"
Previous message: Casper Dik: "Re: need more for sendmail VRFY and EXPN bug"
In reply to: Darrell Fuhriman: "Nasty SunOS initgroups() bug"

>
>Glad to see bugtraq is functional again, despite the fair bit of
>noise, it was the best source of information about.
>
>Anyway....
>
>When using NIS, SunOS picks the wrong field within initgroups() when there
>is an empty passwd.
>
>For instance, we had the following entry in our NIS passwd file
>(this is what caused us to discover the bug.)
>
>gopher::81:99:Public Access Gopher:/home/gopher:/usr/local/bin/rgopher
>
>We are using shadowed passwords, but we don't have them for this entry, as
>we don't want people to get a password prompt at all.
>
>Now, what is happening is that the system (specifically initgroups()) is
>using 99 as the UID by which to set groups, not 81.  This is *very* bad.
>
>Let me show you using account blahblah (same entry as above w/ different
>username and shell only)
>
>group 99 = internal
>uid 99 = jamesd
>----
>
>[90](root)claudia:~darrell# groups blahblah
>blahblah : internal
>
>[91](root)claudia:~darrell# groups jamesd
>jamesd : internal russ support billing teleport majordom www wheel users progs
>bbs admin ftp
>
>[92](root)claudia:~darrell# telnet julie
>Trying 192.108.254.19 ...
>Connected to julie.teleport.com.
>Escape character is '^]'.
>
>
>SunOS UNIX (julie)
>
>login: blahblah
>> id
>uid=81(gopher) gid=99(internal),groups=99(internal),0(wheel),
>61(admin),81(ftp),83(majordom),86(support),
>87(billing),97(www),98(russ),100(teleport),101(users),106(progs)
>
>----

In SunOS running shadow passwords you MUST have the password field
filled with ##gopher (or whatever the account name is). This doesn't
mean the bug isn't nasty, but, you do have to follow the rules to
make it work correctly. Leave the password field blank in the shadow
map.

If you do this, you won't see the bug. I wouldn't hold your breath
on sun fixing this one either. They have an out. They can tell you
to follow the rules and you won't have the problem. Besides which
they aren't spending much time on SunOS4 these days.


--
____________________________________________________________________________
Doug Hughes                                     Engineering Network Services
System/Net Admin                                Auburn University
                        doug@eng.auburn.edu
                Pro is to Con as progress is to congress

Next message: Brian Mitchell: "Re: TCP SYN probe detection tool available"
Previous message: Casper Dik: "Re: need more for sendmail VRFY and EXPN bug"
In reply to: Darrell Fuhriman: "Nasty SunOS initgroups() bug"