From lx@hosix.ntu-kpi.kiev.ua  Mon Jun 22 06:58:59 1998
Received: from ntu-kpi.kiev.ua (root@ntu-kpi.kiev.ua [195.178.136.20])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA03673
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Jun 1998 06:58:14 -0700 (PDT)
          (envelope-from lx@hosix.ntu-kpi.kiev.ua)
Received: from hosix.ntu-kpi.kiev.ua (hosix.ntu-kpi.kiev.ua [10.100.0.6])
          by ntu-kpi.kiev.ua (8.8.8/8.7.3) with ESMTP id QAA11863
          for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Jun 1998 16:57:46 +0300 (EEST)
Received: from lx.hosix.ntu-kpi.kiev.ua (lx.hosix.ntu-kpi.kiev.ua [10.100.23.72])
	by hosix.ntu-kpi.kiev.ua (some/some) with ESMTP id QAA26354
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 22 Jun 1998 16:57:37 +0300 (EEST)
Received: (from lx@localhost)
	by lx.hosix.ntu-kpi.kiev.ua (unknown/hidden) id QAA13790;
	Mon, 22 Jun 1998 16:57:37 +0300 (EEST)
Message-Id: <199806221357.QAA13790@lx.hosix.ntu-kpi.kiev.ua>
Date: Mon, 22 Jun 1998 16:57:37 +0300 (EEST)
From: Alexander Matey <lx@hosix.ntu-kpi.kiev.ua>
Reply-To: lx@hosix.ntu-kpi.kiev.ua
To: FreeBSD-gnats-submit@freebsd.org
Subject: pwd.db almost always contains /etc/shells
X-Send-Pr-Version: 3.2

>Number:         7019
>Category:       bin
>Synopsis:       [security] pwd.db almost always contains /etc/shells
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Jun 22 07:00:00 PDT 1998
>Closed-Date:    Mon Sep 4 15:49:40 PDT 2000
>Last-Modified:  Mon Sep 04 15:53:03 PDT 2000
>Originator:     Alexander Matey
>Release:        FreeBSD 2.2.6-STABLE i386
>Organization:
National Technical University of Ukraine /KPI/
>Environment:

FreeBSD lx.hosix.ntu-kpi.kiev.ua 2.2.6-STABLE FreeBSD 2.2.6-STABLE #0: Thu Jun 1
8 13:23:15 EEST 1998     root@lx.hosix.ntu-kpi.kiev.ua:/usr/src/sys/compile/LX
i386

lx#lx[v2]/usr/src/usr.sbin/pwd_mkdb>ident pwd_mkdb.c
pwd_mkdb.c:
     $Id: pwd_mkdb.c,v 1.15.2.7 1998/02/19 08:10:31 guido Exp $

>Description:

	pwd.db created by pwd_mkdb almost always contains the whole or the part of /etc/shells. It's usually ok unless pwd.db is going to be placed in ftp_root:/etc. It seems that calls to (dp->put)(dp, &key, &data, method) in pwd_mkdb.c while writing legal pwd records to hash database get memory malloced in /usr/src/lib/libc/gen/getusershell.c: initshells() in some manner written too. This memory is malloced in the call to setusershell() in /usr/src/usr.sbin/pwd_mkdb/pw_scan.c while checking the shell entry of the user "root".

>How-To-Repeat:

	# cat > master.passwd
	root:*:0:0::0:0::/nowhere:/nowhere
	ftpown:*:101:101::0:0::/nowhere:/nowhere
	^D
	# pwd_mkdb -d . master.passwd
	pwd_mkdb: warning, unknown root shell
	# strings pwd.db | more

>Fix:
	
	1) rename /etc/shells while building pwd.db for ftp_root:/etc
	2) do not include "root" user in master.passwd
	3) set username with uid 0 to "Root" :-) in master.passwd
	3) use native ftpd built with -DINTERNAL_LS
	4) do not put pwd.db in ftp_root:/etc at all - let ftp_root:/bin/ls produce numeric uids.
	5) fix pwd_mkdb to prevent such behavior
 
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Wed Jun 24 01:02:25 PDT 1998 
State-Changed-Why:  
awaiting committer 
State-Changed-From-To: suspended->closed 
State-Changed-By: kris 
State-Changed-When: Mon Sep 4 15:49:40 PDT 2000 
State-Changed-Why:  
This is expected behaviour: pwd.db contains the fields in /etc/passwd 
in database format, which includes the shell and home directory fields 
If this bothers you, create a copy of /etc/passwd with all of the home 
directories and shells reset to a dummy value, and use pwd_mkdb on that. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=7019 
>Unformatted:
