Home page logo

bugtraq logo Bugtraq mailing list archives

Sun CDE 1.0.1: login bug
From: isaac () CALVIN CS QC EDU (Isaac)
Date: Mon, 28 Jul 1997 16:26:40 -0400


I apologize if my discovery is old news, yet I thought it important
to share and find out if this is being worked on by Sun.

The problem is that CDE (Common Desktop Environment) seems to
accept logins with usernames which have spaces prepended to them.
I am not sure if this is the case with other window managers since
I did not test this with other then CDE.

The following is the 'uname -a' output:

SunOS [hostname] 5.5 Generic sun4m sparc SUNW,SPARCstation-20

(Same bug was the case on Ultra-1, too, so I don't think that
this is an architecture-dependent bug)

Using CDE (Common Desktop Environment), if you enter a few spaces
before your username when logging on from the console, the system will log
you in normally with no warnings of any kind.  I observed the following
traces of suspicious behavior:

The home directory suddenly lists a directory created shortly after login,
which is composed of the following structure:


(I guess the 0 can be incremented to any integer if other similar login
instances follow)

I ran a few programs which utilize wtmp/utmp files shortly after login,
while being the only user on the host (though I observed same behavior
when other users are logged on, too); below are the outputs:

(Note: the username with which I found this behaviour is 'cshelp')

Output of 'last -1':
       c  console      :0               Mon Jul 28 15:33   still logged in
Output of 'users':
Output of 'who':
       c   console      Jul 28 15:33    (:0)
cshelp     pts/2        Jul 28 15:34    (:0.0)
cshelp     pts/3        Jul 28 15:34    (:0.0)
Output of 'w':
 3:34pm  up 1 day(s), 16:49,  1 user,  load average: 0.38, 0.21, 0.10
User     tty           login@  idle   JCPU   PCPU  what
       c console       3:33pm34days      2         /bin/csh -c unsetenv _ PWD;
cshelp   pts/2         3:34pm            1         w
cshelp   pts/3         3:34pm     1                tcsh
Output of 'finger' (normal):
Login       Name               TTY         Idle    When    Where
cshelp   student Aid           console          Mon 15:33  :0

Programs such as 'id' and 'whoami' behaved normally.

Also: launching Mailer 1.0.1 causes a creation of a file
which is the username + spaces prepended to it, in /var/mail !

-rw-------   1 cshelp   staff          0 Jul 28 16:08        cshelp

It may be relative to mention that this file can be deleted
problemlessly from there:
rm \ \ \ \ \ \ \ cshelp
rm: remove        cshelp (y/n)? y

I do not know if I may call this a bug.  Perhaps it is my lack of
knowledge of SunOS/CDE that drives me in the direction of calling
the unknown/unexpected behavior a bug.  However, I believe that the
observed behaviour is due to the programs which write to wtmp/utmp files.
More importantly, I would very much like to hear from others on this issue.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]