diff options
| author | Karel Zak | 2015-08-24 10:05:55 +0200 |
|---|---|---|
| committer | Karel Zak | 2015-08-24 10:05:55 +0200 |
| commit | bde91c85bdc77975155058276f99d2e0f5eab5a9 (patch) | |
| tree | c9bf09e5f6ff82913d7b61561e3dfa134d2be199 /login-utils/setpwnam.h | |
| parent | tests: add blkid script to test whole-disk MBR devices (diff) | |
| download | kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.tar.gz kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.tar.xz kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.zip | |
chsh, chfn, vipw: fix filenames collision
The utils when compiled WITHOUT libuser then mkostemp()ing
"/etc/%s.XXXXXX" where the filename prefix is argv[0] basename.
An attacker could repeatedly execute the util with modified argv[0]
and after many many attempts mkostemp() may generate suffix which
makes sense. The result maybe temporary file with name like rc.status
ld.so.preload or krb5.keytab, etc.
Note that distros usually use libuser based ch{sh,fn} or stuff from
shadow-utils.
It's probably very minor security bug.
Addresses: CVE-2015-5224
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'login-utils/setpwnam.h')
| -rw-r--r-- | login-utils/setpwnam.h | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/login-utils/setpwnam.h b/login-utils/setpwnam.h index 7d69445e8..95785923f 100644 --- a/login-utils/setpwnam.h +++ b/login-utils/setpwnam.h @@ -11,6 +11,8 @@ * published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. */ +#ifndef UTIL_LINUX_SETPWNAM_H +#define UTIL_LINUX_SETPWNAM_H #include "pathnames.h" @@ -26,4 +28,6 @@ # define SGROUP_FILE "/tmp/gshadow" #endif -extern int setpwnam (struct passwd *pwd); +extern int setpwnam (struct passwd *pwd, const char *prefix); + +#endif /* UTIL_LINUX_SETPWNAM_H */ |