Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Hello, For your information, security uploads for etch and lenny have been done, so we are close to release a Debian Security Announce (DSA) with a fix (we are only missing a few builds for etch). I have also build the lenny package for i386 and uploaded it here: http://temp.aurel32.net/glibc-nis/ . Would it be possible that you test that everything is still working as expected before releasing the DSA? Thanks in advance. I tested your packages and everything worked as expected. Regards Christoph -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Hi, For your information, security uploads for etch and lenny have been done, so we are close to release a Debian Security Announce (DSA) with a fix (we are only missing a few builds for etch). I have also build the lenny package for i386 and uploaded it here: http://temp.aurel32.net/glibc-nis/ . Would it be possible that you test that everything is still working as expected before releasing the DSA? Thanks in advance. Aurelien -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net signature.asc Description: Digital signature
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Hello, On Tue, 5 Jan 2010 21:50:34 +0100 Aurelien Jarno aurel...@aurel32.net wrote: Thanks for the patch. I don't know a lot neither about NIS nor about the NIS API, but it basically looks ok. Some minor changes and code indentation will probably be need before it can be accepted upstream. See my comments inline. In the previous message, I forgot to mention that I sent the patch upstream yesterday. Regards Christoph -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
On Wed, Jan 06, 2010 at 08:49:48AM +0100, Christoph Pleger wrote:
Hello,
On Tue, 5 Jan 2010 21:50:34 +0100
Aurelien Jarno aurel...@aurel32.net wrote:
This should probably be free(result). Also there is indentation
issues.
Oops, my mistake, obviously I sent an obsolete version of the patch. I
remember that I got a compilation error because of the missing
parantheses.
Now, I have attached the version of the patch that I really used to
compile the package successfully.
Thanks, it's better. I have fixed the others comments of your patch, and
included it in eglibc 2.10.1-4. Please find it attached.
If nobody reports problem with this patch in a few days, I'll do the
necessary to get a security upload for lenny.
--
Aurelien Jarno GPG: 1024D/F1BCDB73
aurel...@aurel32.net http://www.aurel32.net
diff -Naurp glibc-2.7.original/nis/nss_nis/nis-pwd.c glibc-2.7/nis/nss_nis/nis-pwd.c
--- glibc-2.7.original/nis/nss_nis/nis-pwd.c 2006-05-02 00:31:15.0 +0200
+++ glibc-2.7/nis/nss_nis/nis-pwd.c 2009-12-22 09:04:46.0 +0100
@@ -275,8 +275,8 @@ internal_nis_getpwent_r (struct passwd *
yp_match (domain, passwd.adjunct.byname, result, namelen,
result2, len2)) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted
- password therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
size_t restlen;
@@ -304,7 +304,7 @@ internal_nis_getpwent_r (struct passwd *
mempcpy (mempcpy (mempcpy (mempcpy (buffer, result, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
p, restlen + 1);
p = buffer;
@@ -408,8 +408,8 @@ _nss_nis_getpwnam_r (const char *name, s
yp_match (domain, passwd.adjunct.byname, name, namelen,
result2, len2) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted password
- therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
@@ -436,7 +436,7 @@ _nss_nis_getpwnam_r (const char *name, s
__mempcpy (__mempcpy (__mempcpy (__mempcpy (buffer, name, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
p, restlen + 1);
p = buffer;
@@ -509,8 +509,8 @@ _nss_nis_getpwuid_r (uid_t uid, struct p
yp_match (domain, passwd.adjunct.byname, result, namelen,
result2, len2)) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted password
- therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
size_t restlen;
@@ -538,7 +538,7 @@ _nss_nis_getpwuid_r (uid_t uid, struct p
__mempcpy (__mempcpy (__mempcpy (__mempcpy (buffer, result, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
p, restlen + 1);
p = buffer;
diff -Naurp glibc-2.7.original/nis/nss_nis/nis-spwd.c glibc-2.7/nis/nss_nis/nis-spwd.c
--- glibc-2.7.original/nis/nss_nis/nis-spwd.c 2006-04-29 03:09:49.0 +0200
+++ glibc-2.7/nis/nss_nis/nis-spwd.c 2009-12-22 10:02:25.0 +0100
@@ -78,17 +78,42 @@ internal_nis_getspent_r (struct spwd *sp
{
char *result;
char *outkey;
+ char *p;
int len;
int keylen;
int yperr;
+ int adjunct_used = 0;
- if (new_start)
+ if (new_start) {
yperr = yp_first (domain, shadow.byname, outkey, keylen, result,
len);
- else
+
+if (yperr == YPERR_MAP) {
+ if (result != NULL)
+ free result;
+
+ yperr = yp_first (domain, passwd.adjunct.byname, outkey, keylen, result,
+ len);
+
+ adjunct_used = 1;
+ }
+ }
+
+ else {
yperr = yp_next (domain, shadow.byname, oldkey, oldkeylen, outkey,
keylen, result, len);
+if (yperr == YPERR_MAP) {
+ if (result != NULL)
+ free result;
+
+ yperr = yp_next (domain, passwd.adjunct.byname, oldkey, oldkeylen, outkey,
+ keylen, result, len);
+
+ adjunct_used = 1;
+ }
+ }
+
if (__builtin_expect (yperr != YPERR_SUCCESS, 0))
{
enum nss_status retval = yperr2nss (yperr);
@@ -98,15 +123,32 @@ internal_nis_getspent_r (struct spwd *sp
return retval;
}
- if (__builtin_expect ((size_t) (len + 1) buflen, 0))
-{
- free (result);
- *errnop = ERANGE;
- return NSS_STATUS_TRYAGAIN;
-}
+ if (! adjunct_used)
+ {
+ if (__builtin_expect ((size_t) (len + 1) buflen, 0))
+ {
+ free (result);
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
+
+ p = strncpy (buffer, result, len);
+ buffer[len] = '\0';
+ }
+ else
+
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
On Tue, Dec 22, 2009 at 12:51:30PM +0100, Christoph Pleger wrote:
The attached patch seems to solve the problems. It works with nscd as well as
without nscd. Authentication works fine now.
It makes the following changes:
* In nis-pwd.c, do not mangle encrypted password from
passwd.adjunct.byname map into the password field
of passwd map, instead mangle an 'x' into the field
* In nis-spwd.c, look for key in passwd.adjunct.byname if shadow.byname
does not exist and add the two missing fields (passwd.adjunct.byname
has two fields less than shadow)
Maybe some people can have a look over my patch to see if I missed anything.
Thanks for the patch. I don't know a lot neither about NIS nor about the
NIS API, but it basically looks ok. Some minor changes and code indentation
will probably be need before it can be accepted upstream. See my comments
inline.
In the meanwhile, I'll include it in the next glibc upload to unstable.
If no bug reports are reported after a few days, we'll also fix stable.
diff -Naurp glibc-2.7.original/nis/nss_nis/nis-pwd.c
glibc-2.7/nis/nss_nis/nis-pwd.c
--- glibc-2.7.original/nis/nss_nis/nis-pwd.c 2006-05-02 00:31:15.0
+0200
+++ glibc-2.7/nis/nss_nis/nis-pwd.c 2009-12-22 09:04:46.0 +0100
@@ -275,8 +275,8 @@ internal_nis_getpwent_r (struct passwd *
yp_match (domain, passwd.adjunct.byname, result, namelen,
result2, len2)) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted
- password therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
size_t restlen;
@@ -304,7 +304,7 @@ internal_nis_getpwent_r (struct passwd *
mempcpy (mempcpy (mempcpy (mempcpy (buffer, result, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
I guess the test above including (endp - encrypted) and that doesn't
appear in this patch should also be updated. Not doing so does not break
anything though.
Same issues on the similar portion of code below.
p, restlen + 1);
p = buffer;
@@ -408,8 +408,8 @@ _nss_nis_getpwnam_r (const char *name, s
yp_match (domain, passwd.adjunct.byname, name, namelen,
result2, len2) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted password
- therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
@@ -436,7 +436,7 @@ _nss_nis_getpwnam_r (const char *name, s
__mempcpy (__mempcpy (__mempcpy (__mempcpy (buffer, name, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
p, restlen + 1);
p = buffer;
@@ -509,8 +509,8 @@ _nss_nis_getpwuid_r (uid_t uid, struct p
yp_match (domain, passwd.adjunct.byname, result, namelen,
result2, len2)) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted password
- therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
size_t restlen;
@@ -538,7 +538,7 @@ _nss_nis_getpwuid_r (uid_t uid, struct p
__mempcpy (__mempcpy (__mempcpy (__mempcpy (buffer, result, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
p, restlen + 1);
p = buffer;
diff -Naurp glibc-2.7.original/nis/nss_nis/nis-spwd.c
glibc-2.7/nis/nss_nis/nis-spwd.c
--- glibc-2.7.original/nis/nss_nis/nis-spwd.c 2006-04-29 03:09:49.0
+0200
+++ glibc-2.7/nis/nss_nis/nis-spwd.c 2009-12-22 10:02:25.0 +0100
@@ -78,17 +78,42 @@ internal_nis_getspent_r (struct spwd *sp
{
char *result;
char *outkey;
+ char *p;
int len;
int keylen;
int yperr;
+ int adjunct_used = 0;
- if (new_start)
+ if (new_start) {
yperr = yp_first (domain, shadow.byname, outkey, keylen, result,
len);
- else
+
+if (yperr == YPERR_MAP) {
+ if (result != NULL)
+ free result;
This should probably be free(result). Also there is indentation issues.
Same issues on the similar portion of code below.
+
+ yperr = yp_first (domain, passwd.adjunct.byname, outkey, keylen,
result,
+ len);
+
+ adjunct_used = 1;
+ }
+ }
+
+ else
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Hello, On Tue, 5 Jan 2010 21:50:34 +0100 Aurelien Jarno aurel...@aurel32.net wrote: This should probably be free(result). Also there is indentation issues. Oops, my mistake, obviously I sent an obsolete version of the patch. I remember that I got a compilation error because of the missing parantheses. Now, I have attached the version of the patch that I really used to compile the package successfully. Regards Christoph nis_shadow.diff Description: Binary data
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
The attached patch seems to solve the problems. It works with nscd as well as
without nscd. Authentication works fine now.
It makes the following changes:
* In nis-pwd.c, do not mangle encrypted password from
passwd.adjunct.byname map into the password field
of passwd map, instead mangle an 'x' into the field
* In nis-spwd.c, look for key in passwd.adjunct.byname if shadow.byname
does not exist and add the two missing fields (passwd.adjunct.byname
has two fields less than shadow)
Maybe some people can have a look over my patch to see if I missed anything.
diff -Naurp glibc-2.7.original/nis/nss_nis/nis-pwd.c glibc-2.7/nis/nss_nis/nis-pwd.c
--- glibc-2.7.original/nis/nss_nis/nis-pwd.c 2006-05-02 00:31:15.0 +0200
+++ glibc-2.7/nis/nss_nis/nis-pwd.c 2009-12-22 09:04:46.0 +0100
@@ -275,8 +275,8 @@ internal_nis_getpwent_r (struct passwd *
yp_match (domain, passwd.adjunct.byname, result, namelen,
result2, len2)) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted
- password therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
size_t restlen;
@@ -304,7 +304,7 @@ internal_nis_getpwent_r (struct passwd *
mempcpy (mempcpy (mempcpy (mempcpy (buffer, result, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
p, restlen + 1);
p = buffer;
@@ -408,8 +408,8 @@ _nss_nis_getpwnam_r (const char *name, s
yp_match (domain, passwd.adjunct.byname, name, namelen,
result2, len2) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted password
- therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
@@ -436,7 +436,7 @@ _nss_nis_getpwnam_r (const char *name, s
__mempcpy (__mempcpy (__mempcpy (__mempcpy (buffer, name, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
p, restlen + 1);
p = buffer;
@@ -509,8 +509,8 @@ _nss_nis_getpwuid_r (uid_t uid, struct p
yp_match (domain, passwd.adjunct.byname, result, namelen,
result2, len2)) == YPERR_SUCCESS)
{
- /* We found a passwd.adjunct entry. Merge encrypted password
- therein into original result. */
+ /* We found a passwd.adjunct entry. Merge x
+ into original result. */
char *encrypted = strchr (result2, ':');
char *endp;
size_t restlen;
@@ -538,7 +538,7 @@ _nss_nis_getpwuid_r (uid_t uid, struct p
__mempcpy (__mempcpy (__mempcpy (__mempcpy (buffer, result, namelen),
:, 1),
- encrypted, endp - encrypted),
+ x, 1),
p, restlen + 1);
p = buffer;
diff -Naurp glibc-2.7.original/nis/nss_nis/nis-spwd.c glibc-2.7/nis/nss_nis/nis-spwd.c
--- glibc-2.7.original/nis/nss_nis/nis-spwd.c 2006-04-29 03:09:49.0 +0200
+++ glibc-2.7/nis/nss_nis/nis-spwd.c 2009-12-22 10:02:25.0 +0100
@@ -78,17 +78,42 @@ internal_nis_getspent_r (struct spwd *sp
{
char *result;
char *outkey;
+ char *p;
int len;
int keylen;
int yperr;
+ int adjunct_used = 0;
- if (new_start)
+ if (new_start) {
yperr = yp_first (domain, shadow.byname, outkey, keylen, result,
len);
- else
+
+if (yperr == YPERR_MAP) {
+ if (result != NULL)
+ free result;
+
+ yperr = yp_first (domain, passwd.adjunct.byname, outkey, keylen, result,
+ len);
+
+ adjunct_used = 1;
+ }
+ }
+
+ else {
yperr = yp_next (domain, shadow.byname, oldkey, oldkeylen, outkey,
keylen, result, len);
+if (yperr == YPERR_MAP) {
+ if (result != NULL)
+ free result;
+
+ yperr = yp_next (domain, passwd.adjunct.byname, oldkey, oldkeylen, outkey,
+ keylen, result, len);
+
+ adjunct_used = 1;
+ }
+ }
+
if (__builtin_expect (yperr != YPERR_SUCCESS, 0))
{
enum nss_status retval = yperr2nss (yperr);
@@ -98,15 +123,32 @@ internal_nis_getspent_r (struct spwd *sp
return retval;
}
- if (__builtin_expect ((size_t) (len + 1) buflen, 0))
-{
- free (result);
- *errnop = ERANGE;
- return NSS_STATUS_TRYAGAIN;
-}
+ if (! adjunct_used)
+ {
+ if (__builtin_expect ((size_t) (len + 1) buflen, 0))
+ {
+ free (result);
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
+
+ p = strncpy (buffer, result, len);
+ buffer[len] = '\0';
+ }
+ else
+ {
+ if (__builtin_expect ((size_t) (len + 3) buflen, 0))
+ {
+ free (result);
+ *errnop = ERANGE;
+ return NSS_STATUS_TRYAGAIN;
+ }
+
+ p = strncpy (buffer, result, len);
+ buffer[len] = '\0';
+ p = strcat (buffer, ::);
+ }
- char *p =
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
I created the attached patch, which completely disables mangling of passwd and
passwd.adjunct.byname maps. Additionally, the encrypted password is looked
for in the map passwd.adjunct.byname if the map shadow.byname does not exist.
This make getpwnam and getspnam work like I think is correct (that is,
getpwnam does not show encrypted passwords for anyone and getspnam shows
encrypted passwords only if called by root).
But now, NIS users cannot authenticate any more. The error message
in /var/log/auth.log is:
FAILED LOGIN (1) on 'tty2' FOR `pleger', Authentication service cannot
retrieve authentication info
Regards
Christoph
diff -Naurp glibc-2.7.original/nis/nss_nis/nis-pwd.c glibc-2.7/nis/nss_nis/nis-pwd.c
--- glibc-2.7.original/nis/nss_nis/nis-pwd.c 2006-05-02 00:31:15.0 +0200
+++ glibc-2.7/nis/nss_nis/nis-pwd.c 2009-12-15 17:21:00.0 +0100
@@ -270,6 +270,7 @@ internal_nis_getpwent_r (struct passwd *
char *result2;
int len2;
if (p != NULL /* This better should be true in all cases. */
+ (1 == 0) /* Nobody can see encrypted passwords */
p[1] == '#' p[2] == '#'
(namelen = p - result,
yp_match (domain, passwd.adjunct.byname, result, namelen,
@@ -404,6 +405,7 @@ _nss_nis_getpwnam_r (const char *name, s
int len2;
char *p = strchr (result, ':');
if (p != NULL /* This better should be true in all cases. */
+ (1 == 0) /* Nobody can see encrypted passwords */
p[1] == '#' p[2] == '#'
yp_match (domain, passwd.adjunct.byname, name, namelen,
result2, len2) == YPERR_SUCCESS)
@@ -504,6 +506,7 @@ _nss_nis_getpwuid_r (uid_t uid, struct p
size_t namelen;
char *p = strchr (result, ':');
if (p != NULL /* This better should be true in all cases. */
+ (1 == 0) /* Nobody can see encrypted passwords */
p[1] == '#' p[2] == '#'
(namelen = p - result,
yp_match (domain, passwd.adjunct.byname, result, namelen,
diff -Naurp glibc-2.7.original/nis/nss_nis/nis-spwd.c glibc-2.7/nis/nss_nis/nis-spwd.c
--- glibc-2.7.original/nis/nss_nis/nis-spwd.c 2006-04-29 03:09:49.0 +0200
+++ glibc-2.7/nis/nss_nis/nis-spwd.c 2009-12-15 17:18:25.0 +0100
@@ -78,17 +78,36 @@ internal_nis_getspent_r (struct spwd *sp
{
char *result;
char *outkey;
+ char *p;
int len;
int keylen;
int yperr;
+ int adjunct_used = 0;
- if (new_start)
+ if (new_start) {
yperr = yp_first (domain, shadow.byname, outkey, keylen, result,
len);
- else
+
+if (yperr == YPERR_MAP) {
+ yperr = yp_first (domain, passwd.adjunct.byname, outkey, keylen, result,
+ len);
+
+ adjunct_used = 1;
+ }
+ }
+
+ else {
yperr = yp_next (domain, shadow.byname, oldkey, oldkeylen, outkey,
keylen, result, len);
+if (yperr == YPERR_MAP) {
+ yperr = yp_next (domain, passwd.adjunct.byname, oldkey, oldkeylen, outkey,
+ keylen, result, len);
+
+ adjunct_used = 1;
+ }
+ }
+
if (__builtin_expect (yperr != YPERR_SUCCESS, 0))
{
enum nss_status retval = yperr2nss (yperr);
@@ -105,8 +124,14 @@ internal_nis_getspent_r (struct spwd *sp
return NSS_STATUS_TRYAGAIN;
}
- char *p = strncpy (buffer, result, len);
- buffer[len] = '\0';
+ if (! adjunct_used)
+ p = strncpy (buffer, result, len);
+ else {
+ p = strncpy (buffer, result, len-2);
+ buffer[len-2] = ':';
+ buffer[len-1] = ':';
+ }
+
while (isspace (*p))
++p;
free (result);
@@ -149,6 +174,9 @@ enum nss_status
_nss_nis_getspnam_r (const char *name, struct spwd *sp,
char *buffer, size_t buflen, int *errnop)
{
+ int adjunct_used = 0;
+ char *p;
+
if (name == NULL)
{
*errnop = EINVAL;
@@ -164,6 +192,12 @@ _nss_nis_getspnam_r (const char *name, s
int yperr = yp_match (domain, shadow.byname, name, strlen (name), result,
len);
+ if (yperr == YPERR_MAP) {
+yperr = yp_match (domain, passwd.adjunct.byname, name, strlen (name), result,
+ len);
+adjunct_used = 1;
+ }
+
if (__builtin_expect (yperr != YPERR_SUCCESS, 0))
{
enum nss_status retval = yperr2nss (yperr);
@@ -180,7 +214,14 @@ _nss_nis_getspnam_r (const char *name, s
return NSS_STATUS_TRYAGAIN;
}
- char *p = strncpy (buffer, result, len);
+ if (! adjunct_used)
+p = strncpy (buffer, result, len);
+ else {
+p = strncpy (buffer, result, len-2);
+buffer[len-2] = ':';
+buffer[len-1] = ':';
+ }
+
buffer[len] = '\0';
while (isspace (*p))
++p;
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Hello, the problem is somehow caused by nscd. When I disable passwd caching in /etc/nscd.conf and then restart nscd, the shadow passwords can only be seen by root. Because of the security risk, I recommend to set the severity of this bug to critical. Regards Christoph -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Christoph Pleger a écrit : Hello, the problem is somehow caused by nscd. When I disable passwd caching in /etc/nscd.conf and then restart nscd, the shadow passwords can only be seen by root. Unfortunately I don't have a NIS setup to debug that. Can you try with libc6 / nscd from testing or unstable on a machine or even in a chroot? If it is fixed in newer versions, we will try to find the commit fixing this and then backport the fix. If it is not, I'll have to create a NIS setup to debug it ;( -- Aurelien Jarno GPG: 1024D/F1BCDB73 aurel...@aurel32.net http://www.aurel32.net -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Hello, the mangling of passwd and passwd.adjunct.byname happens in glibc-2.7/nis/nss_nis/nis-pwd.c. Before I found out that nscd is part of the problem, I tried to let the mangling happen only if the calling user to getpwnam is root (by checking for geteuid() == 0), but that did not solve the problem, maybe because nscd is running as root and so the euid is always 0? After replacing the condition (geteuid() == 0) with (1 == 0), no NIS shadow passwords are shown, not even for root. Regards Christoph -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Unfortunately I don't have a NIS setup to debug that. Can you try with libc6 / nscd from testing or unstable on a machine or even in a chroot? If it is fixed in newer versions, we will try to find the commit fixing this and then backport the fix. If it is not, I'll have to create a NIS setup to debug it ;( Installation of libc6 from squeeze did not solve the problem. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#560333: libc6: getpwnam shows shadow passwords of NIS users
Package: libc6 Version: 2.7-18 Severity: normal Hello, I have several machines where almost all user accounts come by NIS. The NIS server is running on a Solaris machine. As usual, the Solaris NIS server exports the passwd data in the map passwd and the shadow data in the map passwd.adjunct.byname. These two maps are mangled together in some calls of libc6, for example in getpwnam. This makes it possible for every user who has an account on the NIS client machine to see the encrypted passwords of all NIS users. This is a grave security bug. Furthermore, getspnam returns a NULL pointer for all NIS users, even if getspnam is called by root. Regards Christoph -- System Information: Debian Release: 5.0.3 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libc6 depends on: ii libgcc1 1:4.3.2-1.1 GCC support library libc6 recommends no packages. Versions of packages libc6 suggests: pn glibc-doc none (no description available) ii libc6-i6862.7-18 GNU C Library: Shared libraries [i ii locales 2.7-18 GNU C Library: National Language ( -- debconf information: glibc/upgrade: true glibc/restart-failed: * glibc/restart-services: ssh openbsd-inetd cron -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
