From proff@profane.iq.org  Sun Jan 26 03:17:24 1997
Received: from profane.iq.org (profane.iq.org [203.4.184.217])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id DAA02226;
          Sun, 26 Jan 1997 03:17:10 -0800 (PST)
Received: (from proff@localhost)
          by profane.iq.org (8.8.4/8.8.2) id WAA16474;
          Sun, 26 Jan 1997 22:17:20 +1100 (EST)
Message-Id: <199701261117.WAA16474@profane.iq.org>
Date: Sun, 26 Jan 1997 22:17:20 +1100 (EST)
From: Julian Assange <proff@iq.org>
Reply-To: proff@iq.org
To: FreeBSD-gnats-submit@freebsd.org, dyson@freebsd.org
Subject: <Synopsis of the problem (one line)> [small] security hole and nfs compatibility bug in rexecd.c
X-Send-Pr-Version: 3.2

>Number:         2593
>Category:       bin
>Synopsis:       [small] security hole and nfs compatibility bug in rexecd.c
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    imp
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Jan 26 03:20:01 PST 1997
>Closed-Date:    Sun Mar 23 22:57:42 MST 1997
>Last-Modified:  Sun Mar 23 22:58:07 MST 1997
>Originator:     Julian Assange
>Release:        FreeBSD 3.0-CURRENT i386
>Organization:
>Environment:

	

>Description:

	rexecd.c performs a chdir(home) as root rather than as
	user, possibly allowing the rexecd.c client access to
	directories they would have otherwise been barred from.
	The condition also has the effect of breaking all nfs
	mounted home directories where root is mapped to non-root,
	and the home directory is o-x. Additionally the buffer
	overflow in error() I reported earlier does not exist (I
	somehow managed (ADD?;) to mixup the order of the arguments
	in my head, swapping err<->buf).


	

>How-To-Repeat:

	

>Fix:
	
	


--- src/libexec/rexecd/rexecd.c~	Sun Jan 26 21:48:35 1997
+++ src/libexec/rexecd/rexecd.c	Sun Jan 26 22:05:03 1997
@@ -66,9 +66,9 @@
 /*VARARGS1*/
 int error();
 
-char	username[20] = "USER=";
-char	homedir[64] = "HOME=";
-char	shell[64] = "SHELL=";
+char	username[MAXLOGNAME+5+1] = "USER=";
+char	homedir[MAXPATHLEN+5+1]  = "HOME=";
+char	shell[MAXPATHLEN+6+1]    = "SHELL=";
 char	path[sizeof(_PATH_DEFPATH) + sizeof("PATH=")] = "PATH=";
 char	*envinit[] =
 	    {homedir, shell, path, username, 0};
@@ -213,10 +213,6 @@
 
 	syslog(LOG_INFO, "login from %s as %s", remote, user);
 
-	if (chdir(pwd->pw_dir) < 0) {
-		error("No remote directory.\n");
-		exit(1);
-	}
 	(void) write(2, "\0", 1);
 	if (port) {
 		(void) pipe(pv);
@@ -276,6 +272,10 @@
 		cp++;
 	else
 		cp = pwd->pw_shell;
+	if (chdir(pwd->pw_dir) < 0) {
+		perror("bad remote directory.\n");
+		exit(1);
+	}
 	execl(pwd->pw_shell, cp, "-c", cmdbuf, 0);
 	perror(pwd->pw_shell);
 	exit(1);
@@ -289,7 +289,7 @@
 	char buf[BUFSIZ];
 
 	buf[0] = 1;
-	(void) sprintf(buf+1, fmt, a1, a2, a3);
+	(void) snprintf(buf+1, sizeof(buf)-1, fmt, a1, a2, a3);
 	(void) write(2, buf, strlen(buf));
 }
 
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->imp 
Responsible-Changed-By: imp 
Responsible-Changed-When: Thu Feb 13 08:45:57 MST 1997 
Responsible-Changed-Why:  
I've applied this change to my local tree and will apply it to the 
source base once that I'm satisfied it works.  The buffer overflow with sprintf 
has already been fixed as part of a sweep of OpenBSD changes that I made. 
State-Changed-From-To: open->closed 
State-Changed-By: imp 
State-Changed-When: Sun Mar 23 22:57:42 MST 1997 
State-Changed-Why:  

Fixed in 1.14 of rexecd.c 
>Unformatted:
