From nobody  Mon Oct 27 12:44:34 1997
Received: (from nobody@localhost)
          by hub.freebsd.org (8.8.7/8.8.7) id MAA24335;
          Mon, 27 Oct 1997 12:44:34 -0800 (PST)
          (envelope-from nobody)
Message-Id: <199710272044.MAA24335@hub.freebsd.org>
Date: Mon, 27 Oct 1997 12:44:34 -0800 (PST)
From: kwhite@csi.uottawa.ca
To: freebsd-gnats-submit@freebsd.org
Subject: incorrect NIS netgroup information may be used for passwd entries
X-Send-Pr-Version: www-1.0

>Number:         4867
>Category:       bin
>Synopsis:       incorrect NIS netgroup information may be used for passwd entries
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:
>Keywords:
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Oct 27 12:50:01 PST 1997
>Closed-Date:    Sat Nov 15 19:04:46 PST 1997
>Last-Modified:  Sat Nov 15 19:08:09 PST 1997
>Originator:     Keith White
>Release:        2.2.2
>Organization:
SITE, University of Ottawa
>Environment:
FreeBSD mail2.csi.uottawa.ca 2.2.2-RELEASE FreeBSD 2.2.2-RELEASE #0: Fri Oct 24 16:54:19 EDT 1997     kwhite@mail2.csi.uottawa.ca:/usr/src/sys/compile/MAIL2  i386

>Description:
the innetgr() helper routine _listmatch() in
/usr/src/lib/libc/gen/getnetgrent.c returns false positives
for netgroups that match the regular expression '^.*group$'
(substitute for group).  This allows for "surprising" entries in the
password file to be used.

For example, if your password file contains entries like this:

+@baduser:::::::::/bin/abusemsg
+@user:::::::::/bin/sh

a user in the "user" netgroup *may* get the "baduser" shell.
(depends on the order of the user's entry in netgroups.byuser)
>How-To-Repeat:
create NIS users a and b
place user a in netgroup baduser
place user b in netgroup user
Add the above two lines to the password file
Notice how user b is treated like a "baduser"

>Fix:
The following _listmatch() routine may work better:

static int _listmatch(list, group, len)
char *list, *group;
int len;
{
        char *ptr = list;
        int glen = strlen(group);
 
        while ( (ptr = strstr(ptr, group)) ) {
 
                ptr += glen; 
                if ((ptr-glen == list || ptr[-glen-1] == ',') &&
                        (*ptr == ',' || *ptr == '\0'))
                        return(1);
        }

        return(0);
}

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed 
State-Changed-By: wpaul 
State-Changed-When: Sat Nov 15 19:04:46 PST 1997 
State-Changed-Why:  

Fixed in rev 1.23 (in -current) and 1.17.2.4 (in RELENG_2_2) of 
getnetgrent.c. I rewrite _listmatch() so that it no longer returns 
false matches. 

-Bill 
>Unformatted:
