On Sat, Sep 27, 2008 at 6:33 AM, Johan Hartzenberg <jhartzen at gmail.com> wrote: > > On Sat, Sep 27, 2008 at 8:34 AM, Jason King <jason at ansipunx.net> wrote: >> >> usermod appears to use $PATH to locate passmgmt. Shouldn't it really >> use a full pathname to invoke it? >> >> I know it's not suid, but I'm thinking if given permissions via rbac, >> there might be an issue. Can anyone confirm if I'm on to something or >> just off my rocker? > > Correct, there is definitely an opportunity for problems here. > > I added /tmp/bin to my path before /usr/bin. Then I created passmgmt as a > script in /tmp/bin, made it executable > > It contained, amongst other things, a line to > touch /tmp/who_is_this > > The file /tmp/who_is_this is created as root:root when I tried to run either > useradd or usermod. I didn't test anything else. > > I did all of the above as a non-root user, using pfexec to execute usermod > and useradd
After my initial post, I did some playing and did something similar as what you did (but then it was late, so I went to bed :)). I went ahead and filed a bug, though have not received the # yet. I think it is probably not a huge issue since it does require extra privs to begin with (ability to run user* as root), but still should be fixed.
