[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Tue Jan 13 21:55:38 EST 2004
http://bugzilla.mindrot.org/show_bug.cgi?id=787
Summary: Minor security problem due to use of deprecated
NGROUPS_MAX in uidswap.c (sshd)
Product: Portable OpenSSH
Version: 3.7.1p2
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: sshd
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: holger at van-lengerich.de
I am able to produce the following behaviour by sshd on Solaris 2.8 and Linux
2.4.23, when NGROUPS_MAX at runtime is larger than at compile-time:
On both systems "fatal: getgroups: Invalid argument" gets logged via syslog
and the sshd is terminating before any authentication is attempted. I located
the problem in uidswap.c, where deprecated NGROUPS_MAX is used.
NGOUPS_MAX is defined in limits.h and tells the maximum number
of groups which an account can be member of. As NGROUPS_MAX is determined at
compile-time, this limit gets hardcoded into the resulting binary. As
NGROUPS_MAX may be larger at runtime than at compile-time it should be
regarded as deprecated and sysconf(_SC_NGROUPS_MAX) should be used instead.
(see APUE 2.4.5 also)
In uidswap.c, line 41 NGROUPS_MAX is used to initialize static arrays in
global context. These 2 occurances of NGROUPS_MAX cannot be substituted
through sysconf(_SC_NGROUPS_MAX) easily as memory has to be allocated at runtime.
In the same file NGROUPS_MAX is referenced in line 72 an 81. These occurances
can be replaced easily, once memory for the arrays is allocated according to
sysconf(_SC_NGROUPS_MAX).
This bug also constitutes a minor security problem as it may be exploited to
remotely enumerate accounts, which are member of more then NGROUPS_MAX at
compile-time.
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list