Bugtraq mailing list archives
Re: vixie cron possible local root compromise
From: "Juergen P. Meier" <jpm () class de>
Date: Thu, 15 Feb 2001 13:51:22 +0100
On Wed, Feb 14, 2001 at 11:34:02AM -0500, Valdis Kletnieks wrote:
Of course, what's important isn't what wtmpx.h defines it as, but what pwd.h has to say about it. If getpwent() won't handle it, your wtmp format doesn't matter... Note also that some systems have utmpx.h not wtmpx.hIf anyone can find any system that reports less then 32, it will be an exce= ption of the rule. Of course I mean current systems. libc5 systems, AIX 3.2 and o= ld systems like that will probably return 16 or even 8.AIX 4.3.3 and AIX 5.0 both limit it to 8 in utmpx.h Solaris 5.7 has a 32-char limit in wtmp, but has this in 'man useradd':
Years of wrestling a big NIS+ cluster with sun's and linux systems teached me that one should _never_ ever completly trust anything thats just written the manual (pages) - its always better to check with the source (or at least the header's) - and check portability before anything else ;) Btw, the file-db routines in solaris (in solaris 2.4 through 2.6, dont know what 7 and 8 make of it) lib's do handle login names of up to 32 chars well. Its just that NIS+ is horribly broken when it comes to long login names (and passwords, btw ;). One does also run into big problems with all login-type daemons like ftp, rsh etc. Just a side note: in /usr/include/limits.h one can find this: (sol 2.6, 7 and 8) #define LOGNAME_MAX 8 /* max # of characters in a login name */ /* POSIX.1c conformant */ #define _POSIX_LOGIN_NAME_MAX 9 Thats one reason why i used to include <limits.h> in my programs ;)
Moral of the story: Not all the world is Linux, and some vendors care more about backward and cross compatability than being the latest-and-greatest.
ACK
-- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Juergen -- Juergen P. Meier email: jpm () class de
Current thread:
- Re: vixie cron possible local root compromise, (continued)
- Re: vixie cron possible local root compromise Arthur Clune (Feb 15)
- Re: vixie cron possible local root compromise Peter W (Feb 15)
- Re: vixie cron possible local root compromise Flavio Veloso (Feb 16)
- Re: vixie cron possible local root compromise Mate Wierdl (Feb 15)
- Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 13)
- (CORRECTION) Re: vixie cron possible local root compromise Rodrigo Barbosa (aka morcego) (Feb 14)
- Re: vixie cron possible local root compromise Valdis Kletnieks (Feb 14)
- Re: vixie cron possible local root compromise Juergen P. Meier (Feb 15)
- Re: vixie cron possible local root compromise Nelson Brito (Feb 15)
- Re: vixie cron possible local root compromise gabriel rosenkoetter (Feb 13)
- Re: vixie cron possible local root compromise Robert Bihlmeyer (Feb 15)
- Re: vixie cron possible local root compromise Alfred Perlstein (Feb 13)