summaryrefslogtreecommitdiffstats
path: root/secure/libexec
diff options
context:
space:
mode:
authorpst <pst@FreeBSD.org>1995-07-20 12:35:01 +0000
committerpst <pst@FreeBSD.org>1995-07-20 12:35:01 +0000
commit5b689f15e465a18ad703ae47bdf9fed2c9808810 (patch)
treef8c586808deac6da9ded256907cdca6bea9c497f /secure/libexec
parentd1a257b33a50fd4779c8ca67330933932f98a90c (diff)
downloadFreeBSD-src-5b689f15e465a18ad703ae47bdf9fed2c9808810.zip
FreeBSD-src-5b689f15e465a18ad703ae47bdf9fed2c9808810.tar.gz
When hostname len > 8, name replaced with dot notation when -u flag
not specified (default case). Use _PATH_* for utmp/wtmp. Support for >32 PTYs. >Submitted by: Heikki Suonsivu <hsu@cs.hut.fi> Plug already known security hole. (Brought over from 1.1.5): Fixed security problem with telnetd, which allowed telnet -l -hcert.org localhost to change the user's host in utmp. Thanks to Matthew Green <mrgreen@@mame.mu.oz.au> for showing me this one. >Reviewed by: karl, guido >Submitted by: mrgreen@mame.mu.oz.au Obtained from: FreeBSD insecure telnetd
Diffstat (limited to 'secure/libexec')
-rw-r--r--secure/libexec/telnetd/sys_term.c26
1 files changed, 19 insertions, 7 deletions
diff --git a/secure/libexec/telnetd/sys_term.c b/secure/libexec/telnetd/sys_term.c
index b699a64..de577ed 100644
--- a/secure/libexec/telnetd/sys_term.c
+++ b/secure/libexec/telnetd/sys_term.c
@@ -46,9 +46,9 @@ static char sccsid[] = "@(#)sys_term.c 8.4 (Berkeley) 5/30/95";
# define PARENT_DOES_UTMP
#endif
+int utmp_len = MAXHOSTNAMELEN;
#ifdef NEWINIT
#include <initreq.h>
-int utmp_len = MAXHOSTNAMELEN; /* sizeof(init_request.host) */
#else /* NEWINIT*/
# ifdef UTMPX
# include <utmpx.h>
@@ -58,10 +58,17 @@ struct utmpx wtmp;
struct utmp wtmp;
# endif /* UTMPX */
-int utmp_len = sizeof(wtmp.ut_host);
# ifndef PARENT_DOES_UTMP
+#ifdef _PATH_WTMP
+char wtmpf[] = _PATH_WTMP;
+#else
char wtmpf[] = "/usr/adm/wtmp";
+#endif
+#ifdef _PATH_UTMP
+char utmpf[] = _PATH_UTMP;
+#else
char utmpf[] = "/etc/utmp";
+#endif
# else /* PARENT_DOES_UTMP */
char wtmpf[] = "/etc/wtmp";
# endif /* PARENT_DOES_UTMP */
@@ -504,7 +511,7 @@ int *ptynum;
p2 = &line[14];
#endif
- for (cp = "pqrstuvwxyzPQRST"; *cp; cp++) {
+ for (cp = "pqrsPQRS"; *cp; cp++) {
struct stat stb;
*p1 = *cp;
@@ -516,8 +523,8 @@ int *ptynum;
*/
if (stat(line, &stb) < 0)
break;
- for (i = 0; i < 16; i++) {
- *p2 = "0123456789abcdef"[i];
+ for (i = 0; i < 32; i++) {
+ *p2 = "0123456789abcdefghijklmnopqrstuv"[i];
p = open(line, 2);
if (p > 0) {
#ifndef __hpux
@@ -1544,7 +1551,7 @@ start_login(host, autologin, name)
{
register char *cp;
register char **argv;
- char **addarg();
+ char **addarg(), *user;
extern char *getenv();
#ifdef UTMPX
register int pid = getpid();
@@ -1727,7 +1734,12 @@ start_login(host, autologin, name)
# endif
} else
#endif
- if (getenv("USER")) {
+ if (user = getenv("USER")) {
+ if (strchr(user, '-')) {
+ syslog(LOG_ERR, "tried to pass user \"%s\" to login",
+ user);
+ fatal(net, "invalid user");
+ }
argv = addarg(argv, getenv("USER"));
#if defined(LOGIN_ARGS) && defined(NO_LOGIN_P)
{
OpenPOWER on IntegriCloud