Re: vixie cron possible local root compromise

["Rodrigo Barbosa (aka morcego)" <rodrigob () CONECTIVA COM BR>]

On Mon, Feb 12, 2001 at 01:12:02PM -0500, gabriel rosenkoetter wrote:
> On Sun, Feb 11, 2001 at 12:38:02AM +0100, Flatline wrote:
> > When crontab has determined the name of the user calling crontab (using
> > getpwuid()),
> > the login name is stored in a 20 byte buffer using the strcpy() function
> > (which does no bounds checking). 'useradd' (the utility used to add users
> > to the system)
> > however allows usernames of over 20 characters (32 at most on my distribution).
> >
> > Therefore, running crontab as a user whose login name exceeds 20 characters
> > crashes it.
>
> Then your useradd is broken and doing improper bounds checking.
>
> I'm not sure why Vixie chose 20 characters, but it should be enough,
> since usernames longer than 8 characters should not be expected to
> behave properly. (They system won't know they're unique.) This is a
> POSIX thing, last I heard.

Hummm, not exactly. Last time I checked, there where lots of systems that
allowed usernames to be 32 chars long. 
GLIBC implementation (at least on version 2.2 and 2.1.3 from cvs) allow it.
Quick check:

#include <wtmpx.h>

main () {
        printf("%d\n",__UT_NAMESIZE);
}

or, if your system does not have wtmpx.h

#include <wtmp.h>

main () {
        printf("%d\n",UT_NAMESIZE);
}

If anyone can find any system that reports less then 32, it will be an exception
of the rule. Of course I mean current systems. libc5 systems, AIX 3.2 and old
systems like that will probably return 16 or even 8.

[]s

-- 
 Rodrigo Barbosa (morcego)         - rodrigob at conectiva.com.br
 Conectiva R&D Team                - http://distro.conectiva.com.br
 "Quis custodiet ipsos custodiet?" - http://www.conectiva.com

Attachment: _bin
Description: