Re: GNU finger 1.37 executes ~/.fingerrc with gid root

[joerg.czeranski () informatik tu-clausthal de (Joerg Czeranski)]

> There is a bug in the `lib/site/userinfo.c' module of GNU finger version
> 1.37 allowing any user on a system to execute arbitrary commands with gid
> root from ~/.fingerrc. The problem is that GNU finger *first* changes its
> userid thus giving away root privileges and *then* tries to change its gid
> which will not succeed.
>
> Greetings, Thomas
>
>
> [patch deleted]

And it seems (from the lines in your patch) that the initgroups()
call is missing, too.  That would imply that the commands would
inherit the supplementary group IDs from fingerd.
The supplementary group ID set may be empty depending on the
flavour/version of inetd, but it's at least begging for desaster.

I haven't taken a closer look though.  If I'm mistaken and
the initgroups() is explicitely or implicitely there,
I apologize.

joerg

--
Joerg Czeranski                 EMail czeranski () informatik tu-clausthal de
Osteroeder Strasse 55                 czeranski () rz tu-clausthal de
D 38678 Clausthal-Zellerfeld    WWW   http://www.in.tu-clausthal.de/~injc/