diff options
| author | Karel Zak | 2015-08-24 10:05:55 +0200 |
|---|---|---|
| committer | Karel Zak | 2015-08-24 10:05:55 +0200 |
| commit | bde91c85bdc77975155058276f99d2e0f5eab5a9 (patch) | |
| tree | c9bf09e5f6ff82913d7b61561e3dfa134d2be199 /login-utils/chfn.c | |
| parent | tests: add blkid script to test whole-disk MBR devices (diff) | |
| download | kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.tar.gz kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.tar.xz kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.zip | |
chsh, chfn, vipw: fix filenames collision
The utils when compiled WITHOUT libuser then mkostemp()ing
"/etc/%s.XXXXXX" where the filename prefix is argv[0] basename.
An attacker could repeatedly execute the util with modified argv[0]
and after many many attempts mkostemp() may generate suffix which
makes sense. The result maybe temporary file with name like rc.status
ld.so.preload or krb5.keytab, etc.
Note that distros usually use libuser based ch{sh,fn} or stuff from
shadow-utils.
It's probably very minor security bug.
Addresses: CVE-2015-5224
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'login-utils/chfn.c')
| -rw-r--r-- | login-utils/chfn.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/login-utils/chfn.c b/login-utils/chfn.c index ac0a3cbde..b1c7ea25a 100644 --- a/login-utils/chfn.c +++ b/login-utils/chfn.c @@ -373,7 +373,7 @@ static int save_new_data(struct chfn_control *ctl) #else /* HAVE_LIBUSER */ /* write the new struct passwd to the passwd file. */ ctl->pw->pw_gecos = gecos; - if (setpwnam(ctl->pw) < 0) { + if (setpwnam(ctl->pw, ".chfn") < 0) { warn("setpwnam failed"); #endif printf(_ |