diff options
| author | Karel Zak | 2015-08-24 10:05:55 +0200 |
|---|---|---|
| committer | Karel Zak | 2015-08-24 10:05:55 +0200 |
| commit | bde91c85bdc77975155058276f99d2e0f5eab5a9 (patch) | |
| tree | c9bf09e5f6ff82913d7b61561e3dfa134d2be199 /login-utils/vipw.c | |
| parent | tests: add blkid script to test whole-disk MBR devices (diff) | |
| download | kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.tar.gz kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.tar.xz kernel-qcow2-util-linux-bde91c85bdc77975155058276f99d2e0f5eab5a9.zip | |
chsh, chfn, vipw: fix filenames collision
The utils when compiled WITHOUT libuser then mkostemp()ing
"/etc/%s.XXXXXX" where the filename prefix is argv[0] basename.
An attacker could repeatedly execute the util with modified argv[0]
and after many many attempts mkostemp() may generate suffix which
makes sense. The result maybe temporary file with name like rc.status
ld.so.preload or krb5.keytab, etc.
Note that distros usually use libuser based ch{sh,fn} or stuff from
shadow-utils.
It's probably very minor security bug.
Addresses: CVE-2015-5224
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'login-utils/vipw.c')
| -rw-r--r-- | login-utils/vipw.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/login-utils/vipw.c b/login-utils/vipw.c index 9fb25502c..a3c932f16 100644 --- a/login-utils/vipw.c +++ b/login-utils/vipw.c @@ -135,9 +135,8 @@ static FILE * pw_tmpfile(int lockfd) { FILE *fd; char *tmpname = NULL; - char *dir = "/etc"; - if ((fd = xfmkstemp(&tmpname, dir)) == NULL) { + if ((fd = xfmkstemp(&tmpname, "/etc", ".vipw")) == NULL) { ulckpwdf(); err(EXIT_FAILURE, _("can't open temporary file")); } |