getpwnam shows shadow passwords of NIS users
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
GLibC |
Fix Released
|
Critical
|
|||
eglibc (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Dapper |
Won't Fix
|
Medium
|
Unassigned | ||
Hardy |
Won't Fix
|
Medium
|
Unassigned | ||
Intrepid |
Invalid
|
Medium
|
Unassigned | ||
Jaunty |
Won't Fix
|
Medium
|
Unassigned | ||
Karmic |
Won't Fix
|
Medium
|
Unassigned | ||
Lucid |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Hello,
I have several machines where almost all user accounts come by NIS. The NIS
server is running on a Solaris machine. As usual, the Solaris NIS server
exports the passwd data in the map "passwd" and the shadow data in the map
"passwd.
of libc6, for example in getpwnam. This makes it possible for every user who
has an account on the NIS client machine to see the encrypted passwords of
all NIS users. This is a grave security bug.
Furthermore, getspnam returns a NULL pointer for all NIS users, even if
getspnam is called by root.
The attached patch seems to solve the problems.
It makes the following changes:
* In nis-pwd.c, do not mangle encrypted password from
passwd.
of passwd map, instead mangle an 'x' into the field
* In nis-spwd.c, look for key in passwd.
does not exist and add the two missing fields (passwd.
has two fields less than shadow)
Maybe some people can have a look over my patch to see if I missed anything.
Regards
Christoph
ProblemType: Bug
Architecture: amd64
Date: Tue Dec 22 13:02:29 2009
Dependencies:
libgcc1 1:4.2.4-1ubuntu3
gcc-4.2-base 4.2.4-1ubuntu3
libc6 2.7-10ubuntu5
DistroRelease: Ubuntu 8.04
Package: libc6 2.7-10ubuntu5
PackageArchitec
ProcEnviron:
SHELL=/bin/tcsh
PATH=/
LANG=en_US.UTF-8
SourcePackage: glibc
Uname: Linux 2.6.24-24-generic x86_64
CVE References
visibility: | private → public |
affects: | glibc (Ubuntu) → eglibc (Ubuntu) |
Changed in glibc: | |
status: | Unknown → Confirmed |
Changed in glibc: | |
status: | Confirmed → Incomplete |
Changed in glibc: | |
status: | Incomplete → Fix Released |
Changed in eglibc (Ubuntu Karmic): | |
status: | In Progress → Won't Fix |
Changed in eglibc (Ubuntu Dapper): | |
status: | In Progress → Triaged |
Changed in eglibc (Ubuntu Hardy): | |
status: | In Progress → Triaged |
Changed in glibc: | |
importance: | Unknown → Critical |
Hello! Thanks for the report and the patch. One thing I'm curious about; isn't it possible for a local user to just use "ypcat passwd. adjunct. byname" to see the encrypted passwords? Regardless, I would be curious to see if upstream glibc would be willing to use your patch. Have you opened a bug with glibc? http:// sourceware. org/bugzilla/
Also, IIUC, this is not a "private" security issue, in that NIS leaking encrypted passwords is a fairly well understood limitation. Should this bug be made public to get more people looking at it?