mailing list archives
Re: Nasty SunOS initgroups() bug
From: Doug.Hughes () Eng Auburn EDU (Doug Hughes)
Date: Wed, 15 May 1996 08:07:43 -0500
Glad to see bugtraq is functional again, despite the fair bit of
noise, it was the best source of information about.
When using NIS, SunOS picks the wrong field within initgroups() when there
is an empty passwd.
For instance, we had the following entry in our NIS passwd file
(this is what caused us to discover the bug.)
gopher::81:99:Public Access Gopher:/home/gopher:/usr/local/bin/rgopher
We are using shadowed passwords, but we don't have them for this entry, as
we don't want people to get a password prompt at all.
Now, what is happening is that the system (specifically initgroups()) is
using 99 as the UID by which to set groups, not 81. This is *very* bad.
Let me show you using account blahblah (same entry as above w/ different
username and shell only)
group 99 = internal
uid 99 = jamesd
(root)claudia:~darrell# groups blahblah
(root)claudia:~darrell# groups jamesd
jamesd: internal russ support billing teleport majordom www wheel users progs
bbs admin ftp
(root)claudia:~darrell# telnet julie
Trying 18.104.22.168 ...
Connected to julie.teleport.com.
Escape character is '^]'.
SunOS UNIX (julie)
In SunOS running shadow passwords you MUST have the password field
filled with ##gopher (or whatever the account name is). This doesn't
mean the bug isn't nasty, but, you do have to follow the rules to
make it work correctly. Leave the password field blank in the shadow
If you do this, you won't see the bug. I wouldn't hold your breath
on sun fixing this one either. They have an out. They can tell you
to follow the rules and you won't have the problem. Besides which
they aren't spending much time on SunOS4 these days.
Doug Hughes Engineering Network Services
System/Net Admin Auburn University
doug () eng auburn edu
Pro is to Con as progress is to congress