[Bug 787] Minor security problem due to use of deprecated NGROUPS_MAX in uidswap.c (sshd)

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Jan 13 21:55:38 EST 2004


http://bugzilla.mindrot.org/show_bug.cgi?id=787

           Summary: Minor security problem due to use of deprecated
                    NGROUPS_MAX in uidswap.c (sshd)
           Product: Portable OpenSSH
           Version: 3.7.1p2
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: openssh-bugs at mindrot.org
        ReportedBy: holger at van-lengerich.de


I am able to produce the following behaviour by sshd on Solaris 2.8 and Linux
2.4.23, when NGROUPS_MAX at runtime is larger than at compile-time:

On both systems "fatal: getgroups: Invalid argument" gets logged via syslog   
and the sshd is terminating before any authentication is attempted. I located
the problem in uidswap.c, where deprecated NGROUPS_MAX is used.

NGOUPS_MAX is defined in limits.h and tells the maximum number  
of groups which an account can be member of. As NGROUPS_MAX is determined at
compile-time, this limit gets hardcoded into the resulting binary. As
NGROUPS_MAX may be larger at runtime than at compile-time it should be
regarded as deprecated and sysconf(_SC_NGROUPS_MAX) should be used instead.   
(see APUE 2.4.5 also)

In uidswap.c, line 41 NGROUPS_MAX is used to initialize static arrays in
global context. These 2 occurances of NGROUPS_MAX cannot be substituted
through sysconf(_SC_NGROUPS_MAX) easily as memory has to be allocated at runtime.

In the same file NGROUPS_MAX is referenced in line 72 an 81. These occurances
can be replaced easily, once memory for the arrays is allocated according to  
sysconf(_SC_NGROUPS_MAX).

This bug also constitutes a minor security problem as it may be exploited to  
remotely enumerate accounts, which are member of more then NGROUPS_MAX at
compile-time.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.




More information about the openssh-bugs mailing list