COMMAND

    libc-4.6.27

SYSTEMS AFFECTED

    Systems using libc-4.6.27  or earlier with  an entry of  +::0:0:::
    in the password file. The NYS library seems to check for it.

PROBLEM

    To get yellow pages  to work, the standard  says you need to  have
    a +::0:0:::  or  a +:*:0:0::: at the  end of the /etc/passwd  file
    (I know in linux  that is not necessary,  but I think most  system
    administrators still do it that way). The problem is that  library
    functions getpwnam, etc, consider '+' as a normal user, so if  you
    have  +::0:0:::  in  /etc/passwd,  what  you  really  have  is   a
    passwdless  root.  So,  as  login/su  don't test wether a username
    begins with a +, guess what it happens?

    It allows  anyone to  become the  user, whose  entry is  before an
    entry starting with a "+" in /etc/passwd, e.g. if you have

    man:*:13:15:man:/usr/man:
    postmaster:*:14:12:postmaster:/var/spool/mail:/bin/bash
    ftp:*:404:1::/home/ftp:/bin/bash
    +@mygroup
    -@hackers
    +

    in /etc/passwd, then the commands

    su +@mygroup
    su -- -@hackers
    su +

    will su to ftp without a password.

    I   contacted   with   the   author   of   login   (Peter  Orbaek,
    poe@daimi.aau.dk), and he has  released a new version,  that tests
    for usernames  starting with  +. However  I have  not been able to
    report the bug to gnu (responsible for su) nor the maintainers  of
    the libraries. So here goes the patch for su.c:

    If username starts with  +, it is not  valid, as it is  the anchor
    for yellow  pages. Otherwise,  we have  a gigantic  security hole.
    This is just a  dirty hack to fix  it, as this should  be fixed in
    the libraries instead of programs. Feb 95. <alvaro@etsit.upm.es>.

    if (new_user[0]=='+')
    error (1, 0, "user %s does not exist", new_user);

SOLUTION

    Upgrade your C library.