This is the mail archive of the
mailing list for the Cygwin project.
[bug: login] login command with -f flag fails to switch user account.
- From: Takashi Yano <takashi dot yano at nifty dot ne dot jp>
- To: cygwin at cygwin dot com
- Date: Thu, 14 Jun 2018 00:02:48 +0900
- Subject: [bug: login] login command with -f flag fails to switch user account.
- Dkim-filter: OpenDKIM Filter v2.10.3 conssluserg-02.nifty.com w5DF2ijD022394
I have found the login command with -f flag fails to switch
user account correctly.
This causes a severe security problem. User can get console
having cyg_server rights without password by following steps.
0.1. Install rsh-sever and rsh with inetutils packages.
0.2. Set them up to work properly.
1.1. Make ~/.rhosts with line 'localhost'
1.2. Execute 'rlogin localhost'.
Now you can get the cyg_server rights.
This is caused by bug of login command. With the settings
above, rlogind is executed as cyg_server account. If .rhosts
is valid, rlogind executes login command with -f flag.
This should switch the user account to the user specified.
However, login command fails to switch the account.
As a result, shell is executed as cyg_server account
instead of specified user account.
I looked into this problem, and found the bug is in login.c.
The account information of targeted user is set to a pointer:
struct passwd *pwd;
by calling getpwnam(username).
This pointer points the system static area. This area is
overwritten with the account information of current user,
i.e. cyg_server, by calling getpwuid(uid) in isROOT_UID().
getpwnam() and getpwuid() seems to share the same system area.
login calls setuid(pwd->pw_uid) and setgid(pwd->pw_gid) to
switch the account, however area pointed by pwd is already
overwritten to the information of current user.
As a result, the account switching is done to the same user
account (cyg_server) though it should be done to the account
Above is the mechanism of this bug.
Takashi Yano <firstname.lastname@example.org>
Problem reports: http://cygwin.com/problems.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple