pw_class in _pw_passwd of src/lib/libc/gen/getpwdent.c is initialized
to null. Thus if a user other than root looks up nis by getpwuid(3) or
getpwnam(3) in prior to calling __hashpw, pw_class is null as well.
This breaks some applications including ssh(1) because they believe
that no members of struct passwd are null.
The following sample code shows the problem.
--- v --- sample --- v ---
#include <pwd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
int
main(void)
{
struct passwd *pw;
if ((pw = getpwuid(getuid())) != NULL)
printf("name:\t\%s\nclass:\t\%p\n", pw->pw_name, pw->pw_class);
}
--- ^ --- sample --- ^ ---
If you have your passwd entry in nis, you see something like this:
silver% ./getpwent
name: tanimura
class: 0x0
If your passwd entry is in /etc/master.passwd, the result looks like
this:
silver# ./getpwent
name: root
class: 0x804cc28
where 0x804cc28 points to an empty string, which is the expected
result.
As we are supposed to fill in all of the members in struct passwd
(like Solaris), _pw_passwd should have its initial value other than
zero.
static struct passwd _pw_passwd =
{
"",
"",
(uid_t)0, /* XXX Is zero appropriate? */
(gid_t)0,
(time_t)0,
"",
"",
"",
"",
(time_t)0,
0,
};
In addition, we should also reinitialize _pw_passwd by this initial
value before rewriting _pw_passwd, because pw_class filled in by
previous call to __hashpw might grant unauthorized use of resource or
account.
--
Seigo Tanimura <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
