From nobody@FreeBSD.org  Tue May 18 21:11:26 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EC13D1065670
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 May 2010 21:11:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id CE1A78FC0A
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 May 2010 21:11:26 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o4ILBQ1F025067
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 18 May 2010 21:11:26 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o4ILBQIM025066;
	Tue, 18 May 2010 21:11:26 GMT
	(envelope-from nobody)
Message-Id: <201005182111.o4ILBQIM025066@www.freebsd.org>
Date: Tue, 18 May 2010 21:11:26 GMT
From: Paul Rascagneres <rootbsd@r00ted.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: We can create a file in /etc with simple user using chpass
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         146718
>Category:       kern
>Synopsis:       We can create a file in /etc with simple user using chpass
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 18 21:20:01 UTC 2010
>Closed-Date:    Mon Jun 07 05:11:19 UTC 2010
>Last-Modified:  Mon Jun 07 05:11:19 UTC 2010
>Originator:     Paul Rascagneres
>Release:        FreeBSD 8.0
>Organization:
-
>Environment:
FreeBSD freebsd-laptop 8.0-STABLE FreeBSD 8.0-STABLE #1: Thu May 13 18:40:45 UTC 2010     root@freebsd-laptop:/usr/obj/usr/src/sys/POL_DTRACE  i386
>Description:
We can create a file in /etc by killing chpass. Example on my website : http://www.r00ted.com/doku.php?id=0day_freebsd_chpass


Example :

On xterm 1 :
[pol@freebsd-laptop]$ export EDITOR=vi
[pol@freebsd-laptop]$ chpass
#Changing user information for pol.
Shell: /usr/local/bin/bash
Full Name: User &
Office Location:
Office Phone:
Home Phone:
Other information:

On xterm 2 :
[pol@freebsd-laptop ~]$ ps aux | grep chpass
root   1736  0.0  0.1  3504  1276   2  SN+  11:56PM   0:00.00 chpass
pol    1739  0.0  0.1  3496  1260   4  SN+  11:56PM   0:00.00 grep chpass
[pol@freebsd-laptop ~]$ pstree 1736
-+= 01736 root chpass
 \--- 01737 pol vi /etc/pw.Iu09aU
[pol@freebsd-laptop ~]$ kill -9 01736

After kill the file is not remove from /etc :

[pol@freebsd-laptop ~]$ ls -l /etc/pw.Iu09aU 
-rw-------  1 pol  pol  147 May 17 23:56 /etc/pw.Iu09aU


I think it's strange to create temp file in /etc... Why put it on /tmp?
>How-To-Repeat:
I mention it on full description.
>Fix:
I think you need to modify the tempname in the file /usr/src/lib/libutil/pw_util.c to put it on /tmp

>Release-Note:
>Audit-Trail:

From: Remko Lodder <remko@elvandar.org>
To: Paul Rascagneres <rootbsd@r00ted.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: i386/146718: We can create a file in /etc with simple user using chpass
Date: Thu, 20 May 2010 08:10:52 +0200

 On May 18, 2010, at 11:11 PM, Paul Rascagneres wrote:
 >=20
 > I think it's strange to create temp file in /etc... Why put it on =
 /tmp?
 >> How-To-Repeat:
 > I mention it on full description.
 >> Fix:
 > I think you need to modify the tempname in the file =
 /usr/src/lib/libutil/pw_util.c to put it on /tmp
 
 
 /tmp might be on a different file system (which is the case if you use =
 automatic assignment), making it impossible to use this
 tool within single usermode for example. I think the default is fine.
 
 --=20
 /"\   Best regards,                        | remko@FreeBSD.org
 \ /   Remko Lodder                      | remko@EFnet
 X    http://www.evilcoder.org/    |
 / \   ASCII Ribbon Campaign    | Against HTML Mail and News
 
Responsible-Changed-From-To: freebsd-i386->secteam 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Mon Jun 7 05:03:10 UTC 2010 
Responsible-Changed-Why:  
security-related. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=146718 
State-Changed-From-To: open->closed 
State-Changed-By: cperciva 
State-Changed-When: Mon Jun 7 05:10:39 UTC 2010 
State-Changed-Why:  
This behaviour is by design, and we do not consider it to be a security 
problem. 


http://www.freebsd.org/cgi/query-pr.cgi?pr=146718 
>Unformatted:
