Workaround patch for chfn/chsh security hole (SunosOS 3.x and 4.x)

prl at eiger.uucp prl at eiger.uucp
Wed Feb 1 22:22:03 AEST 1989 

There is a hole in chfn(1) and chsh(1) which allows normal users to create
user-id 0 entries in /etc/passwd with no password. This allows them to
become root (superuser) on the machine.

The workaround is to disable these commands for normal users.

The workaround is different for SunOS 3.x and 4.x .

You will need to be root to apply this workaround.

We have been using this workaround at IIS since about the middle of
January without any problems. The workaround causes users without root
privilege to be unable to use passwd -f, passwd -s (4.x only), chfn and
chsh.

I have submitted this patch to Sun Switzerland as a followup to my bug
report on this problem. A better fix if you have source to apply Keith
Bostic's fixes to passwd.c and install that.

SunOS 3.x:
##########

	chmod 755 /usr/ucb/chfn /usr/ucb/chsh

	(this may produce the error message
		chmod: /usr/ucb/chfn: No such file or directory
	this means that your system doesn't have chfn)


SunOS 4.0:
##########

	<barossa>  cp /bin/passwd .
	<barossa> strings -o passwd | egrep '(fsF:|chfn|chsh)$'
	  17128 chfn
	  17133 chsh
	  17174 fsF:
	  18402 chsh
	  18451 chfn
	<barossa> adb -w - passwd
	not core file = passwd
*	0t17128/s
	0x42e8:         chfn
*	./w 0
	0x42e8:         0x6368  =       0x0
*	0t17133/s
	0x42ed:         chsh
*	./w 0
	0x42ed:         0x6368  =       0x0
*	0t17174/s
	0x4316:         fsF:
*	/X
	0x4316:         6673463a
*	./W 0x463a0000
	0x4316:         0x6673463a      =       0x463a0000
*	0t18402/s
	0x47e2:         chsh
*	./w 0
	0x47e2:         0x6368  =       0x0
*	0t18451/s
	0x4813:         chfn
*	./w 0
	0x4813:         0x6368  =       0x0
*	$q
	<barossa> strings -o passwd | egrep '(fsF:|chfn|chsh)$'
	<barossa> mv /bin/passwd /bin/passwd.old
	<barossa> cp ./passwd /bin/passwd
	<barossa> chmod 4755 /bin/passwd
	<barossa> chmod 755 /bin/passwd.old /bin/chfn /bin/chsh


Notes:
	Lines starting <barossa> are typed as shell commands.
	Lines starting with `*' are input lines to `adb' (don't type the *!).
	All other lines are computer output.
	The second call of `strings' should produce no output.
	The numbers above (output from strings and input to adb)
	are for SunOS 4.0.1. Use the corresponding numbers produced
	by strings on your system if they are different.

Peter Lamb				uucp:  seismo!mcvax!ethz!prl
Tel: (01) 256 5241 (Switzerland)	eunet: prl at iis.ethz.ch
     +411 256 5241 (International)

Integrated Systems Laboratory
ETH-Zentrum
8092 Zurich

More information about the Comp.sys.sun mailing list