X-Recipient: archive-cygwin AT delorie DOT com
DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:mime-version
	:content-type:content-transfer-encoding; q=dns; s=default; b=qlm
	tWWXzC72XVl9bfqW0XzRB3OVyioBn7u78XLWi5GrrHObyieyW95WXRt/1CN70C0F
	nNJ58bpt6Avsd3wTs1Rnla2sgY0TW0Ef7FaYDptMDHxdJcIH4htcaPQnf/bGanA3
	tKffMxkDRyt3gV6WS4gkqqGFL5JTQOORbt8wEHSg=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id
	:list-unsubscribe:list-subscribe:list-archive:list-post
	:list-help:sender:date:from:to:subject:message-id:mime-version
	:content-type:content-transfer-encoding; s=default; bh=Sa1Sev3H3
	93KmExpr7vdTkMflD4=; b=G14Dwx6zvdFKKAzmr9TzM1XaEIvcJPGYdlb8HfWRQ
	Wy21ATVYmJDMOv/XyNBNIO7fQhmAhW8B4Hlp/gxG8oHV8uBsXNl+VUXpRt2T6ywQ
	lu5hL7WX5OyT/gbqmEZYm1N0GcNA3myCYuqBHHBh07cKEr8bLKB/fK3DpZJPMQnh
	fM=
Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Id: <cygwin.cygwin.com>
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: Yes, score=6.9 required=5.0 tests=AWL,BAYES_00,RCVD_IN_DNSWL_NONE,SPAM_BODY1 autolearn=no version=3.3.2 spammy=1.1, 02, rights, H*F:D*ne.jp
X-HELO: conssluserg-02.nifty.com
DKIM-Filter: OpenDKIM Filter v2.10.3 conssluserg-02.nifty.com w5DF2ijD022394
X-Nifty-SrcIP: [125.3.30.127]
Date: Thu, 14 Jun 2018 00:02:48 +0900
From: Takashi Yano <takashi DOT yano AT nifty DOT ne DOT jp>
To: cygwin AT cygwin DOT com
Subject: [bug: login] login command with -f flag fails to switch user account.
Message-Id: <20180614000248.ddf33c4bf1ee219388db1b65@nifty.ne.jp>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes

Hi,

I have found the login command with -f flag fails to switch
user account correctly.

This causes a severe security problem. User can get console
having cyg_server rights without password by following steps.

Prepare:
0.1. Install rsh-sever and rsh with inetutils packages.
0.2. Set them up to work properly.

Steps:
1.1. Make ~/.rhosts with line 'localhost'
1.2. Execute 'rlogin localhost'.

Now you can get the cyg_server rights.

This is caused by bug of login command. With the settings
above, rlogind is executed as cyg_server account. If .rhosts
is valid, rlogind executes login command with -f flag.

This should switch the user account to the user specified.
However, login command fails to switch the account.
As a result, shell is executed as cyg_server account
instead of specified user account.

I looked into this problem, and found the bug is in login.c.

The account information of targeted user is set to a pointer:
struct passwd *pwd;
by calling getpwnam(username).

This pointer points the system static area. This area is
overwritten with the account information of current user,
i.e. cyg_server, by calling getpwuid(uid) in isROOT_UID().

getpwnam() and getpwuid() seems to share the same system area.

login calls setuid(pwd->pw_uid) and setgid(pwd->pw_gid) to
switch the account, however area pointed by pwd is already
overwritten to the information of current user.

As a result, the account switching is done to the same user
account (cyg_server) though it should be done to the account
specified.

Above is the mechanism of this bug.

-- 
Takashi Yano <takashi DOT yano AT nifty DOT ne DOT jp>

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple