diff options
| author | pst <pst@FreeBSD.org> | 1995-07-20 12:35:01 +0000 |
|---|---|---|
| committer | pst <pst@FreeBSD.org> | 1995-07-20 12:35:01 +0000 |
| commit | 5b689f15e465a18ad703ae47bdf9fed2c9808810 (patch) | |
| tree | f8c586808deac6da9ded256907cdca6bea9c497f /eBones | |
| parent | d1a257b33a50fd4779c8ca67330933932f98a90c (diff) | |
| download | FreeBSD-src-5b689f15e465a18ad703ae47bdf9fed2c9808810.zip FreeBSD-src-5b689f15e465a18ad703ae47bdf9fed2c9808810.tar.gz | |
When hostname len > 8, name replaced with dot notation when -u flag
not specified (default case).
Use _PATH_* for utmp/wtmp.
Support for >32 PTYs.
>Submitted by: Heikki Suonsivu <hsu@cs.hut.fi>
Plug already known security hole. (Brought over from 1.1.5):
Fixed security problem with telnetd, which allowed
telnet -l -hcert.org localhost
to change the user's host in utmp.
Thanks to Matthew Green <mrgreen@@mame.mu.oz.au> for showing me this one.
>Reviewed by: karl, guido
>Submitted by: mrgreen@mame.mu.oz.au
Obtained from: FreeBSD insecure telnetd
Diffstat (limited to 'eBones')
| -rw-r--r-- | eBones/libexec/telnetd/sys_term.c | 26 |
1 files changed, 19 insertions, 7 deletions
diff --git a/eBones/libexec/telnetd/sys_term.c b/eBones/libexec/telnetd/sys_term.c index b699a64..de577ed 100644 --- a/eBones/libexec/telnetd/sys_term.c +++ b/eBones/libexec/telnetd/sys_term.c @@ -46,9 +46,9 @@ static char sccsid[] = "@(#)sys_term.c 8.4 (Berkeley) 5/30/95"; # define PARENT_DOES_UTMP #endif +int utmp_len = MAXHOSTNAMELEN; #ifdef NEWINIT #include <initreq.h> -int utmp_len = MAXHOSTNAMELEN; /* sizeof(init_request.host) */ #else /* NEWINIT*/ # ifdef UTMPX # include <utmpx.h> @@ -58,10 +58,17 @@ struct utmpx wtmp; struct utmp wtmp; # endif /* UTMPX */ -int utmp_len = sizeof(wtmp.ut_host); # ifndef PARENT_DOES_UTMP +#ifdef _PATH_WTMP +char wtmpf[] = _PATH_WTMP; +#else char wtmpf[] = "/usr/adm/wtmp"; +#endif +#ifdef _PATH_UTMP +char utmpf[] = _PATH_UTMP; +#else char utmpf[] = "/etc/utmp"; +#endif # else /* PARENT_DOES_UTMP */ char wtmpf[] = "/etc/wtmp"; # endif /* PARENT_DOES_UTMP */ @@ -504,7 +511,7 @@ int *ptynum; p2 = &line[14]; #endif - for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) { + for (cp = "pqrsPQRS"; *cp; cp++) { struct stat stb; *p1 = *cp; @@ -516,8 +523,8 @@ int *ptynum; */ if (stat(line, &stb) < 0) break; - for (i = 0; i < 16; i++) { - *p2 = "0123456789abcdef"[i]; + for (i = 0; i < 32; i++) { + *p2 = "0123456789abcdefghijklmnopqrstuv"[i]; p = open(line, 2); if (p > 0) { #ifndef __hpux @@ -1544,7 +1551,7 @@ start_login(host, autologin, name) { register char *cp; register char **argv; - char **addarg(); + char **addarg(), *user; extern char *getenv(); #ifdef UTMPX register int pid = getpid(); @@ -1727,7 +1734,12 @@ start_login(host, autologin, name) # endif } else #endif - if (getenv("USER")) { + if (user = getenv("USER")) { + if (strchr(user, '-')) { + syslog(LOG_ERR, "tried to pass user \"%s\" to login", + user); + fatal(net, "invalid user"); + } argv = addarg(argv, getenv("USER")); #if defined(LOGIN_ARGS) && defined(NO_LOGIN_P) { |
