From amjudge@dsg.cs.tcd.ie  Wed Nov 30 04:47:08 1994
Received: from longvalley.dsg.cs.tcd.ie (longvalley.dsg.cs.tcd.ie [134.226.36.37]) by freefall.cdrom.com (8.6.8/8.6.6) with SMTP id EAA15891 for <FreeBSD-gnats-submit@freebsd.org>; Wed, 30 Nov 1994 04:43:51 -0800
Received: from janis.dsg.cs.tcd.ie by longvalley.dsg.cs.tcd.ie id aa22024;
          30 Nov 94 12:43 GMT
Received: (from amjudge@localhost) by janis.dsg.cs.tcd.ie (8.6.9/8.6.9) id MAA22796; Wed, 30 Nov 1994 12:43:39 GMT
Message-Id: <199411301243.MAA22796@janis.dsg.cs.tcd.ie>
Date: Wed, 30 Nov 1994 12:43:39 GMT
From: Alan Judge <amjudge@dsg.cs.tcd.ie>
Reply-To: amjudge@dsg.cs.tcd.ie
To: FreeBSD-gnats-submit@freebsd.org
Cc: amjudge@dsg.cs.tcd.ie
Subject: Security bug in password expiry
X-Send-Pr-Version: 3.2

>Number:         32
>Category:       bin
>Synopsis:       Bug in password expiry allows users to change other passwords
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    core (FreeBSD core team)
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 30 04:50:02 1994
>Closed-Date:    Wed Nov 30 14:42:47 PST 1994
>Last-Modified:
>Originator:     Alan Judge
>Release:        FreeBSD 2.0-RELEASE i386
>Organization:
Trinity College, Dublin, Ireland.
>Environment:

	FreeBSD 2.0 installed with minimal changes.

>Description:

	It would seem that the password expiry code (in login) gets confused.
	Or maybe the code in the exec'ed passwd.  Anyway the net effect is
	that you get presented with something like:

   FreeBSD (janis.dsg.cs.tcd.ie) (ttyp2)

login: testuser
Sorry -- your password has expired.
Changing local password for amjudge.
New password:

	Note that passwd is changing the password for a different user.  Note
	also that it doesn't prompt for the old password.

	The user it picks seems to vary.  When I tried a console login, it
	offered to change root's password!


	I also note that you can interrupt the passwd change and login anyway
	without changing password.

>How-To-Repeat:

	Add a line like:
	testuser::1000:200::2000:0:test user:/tmp:/bin/csh
	using vipw, and login as testuser.

>Fix:
	
	Dunno.

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: davidg 
State-Changed-When: Wed Nov 30 14:42:47 PST 1994 
State-Changed-Why:  
This bug was fixed by Ugen; basically, added a setuid before 
forking the passwd and also checking the return status to make sure 
the user really did change it. 
>Unformatted:



