chsh, chfn, vipw: fix filenames collision

The utils when compiled WITHOUT libuser then mkostemp()ing
"/etc/%s.XXXXXX" where the filename prefix is argv[0] basename.

An attacker could repeatedly execute the util with modified argv[0]
and after many many attempts mkostemp() may generate suffix which
makes sense. The result maybe temporary file with name like rc.status
ld.so.preload or krb5.keytab, etc.

Note that distros usually use libuser based ch{sh,fn} or stuff from
shadow-utils.

It's probably very minor security bug.

Addresses: CVE-2015-5224
Signed-off-by: Karel Zak <kzak@redhat.com>

1 files changed, 2 insertions, 3 deletions

diff --git a/login-utils/setpwnam.c b/login-utils/setpwnam.c
index 79f3299d4..9f39d0181 100644
--- a/login-utils/setpwnam.c
+++ b/login-utils/setpwnam.c
@@ -71,7 +71,7 @@ static void pw_init(void);
  *	If the given username exists in the passwd file, the entry is
  *	replaced with the given entry.
  */
-int setpwnam(struct passwd *pwd)
+int setpwnam(struct passwd *pwd, const char *prefix)
 {
 	FILE *fp = NULL, *pwf = NULL;
 	int save_errno;
@@ -81,11 +81,10 @@ int setpwnam(struct passwd *pwd)
 	int contlen, rc;
 	char *linebuf = NULL;
 	char *tmpname = NULL;
-	char *atomic_dir = "/etc";
 
 	pw_init();
 
-	if ((fp = xfmkstemp(&tmpname, atomic_dir)) == NULL)
+	if ((fp = xfmkstemp(&tmpname, "/etc", prefix)) == NULL)
 		return -1;
 
 	/* ptmp should be owned by root.root or root.wheel */