Hi...

I recently noticed this on bugtraq, and verified the same problem with
NetBSD.  The pw_scan function in libutil uses atol to convert the uid and
gid strings into ints.  I would reccomend using strtol, and comparing
endptr with nptr to make sure some valid characters were scanned.  Maybe
even failing to go if there are any invalid characters in the uid/gid
fields.

This has the effect that having a non-number at the beginning of a uid
field is the same as 0 (root).  I'm worried that that may happen by
accident someday - and some unsuspecting user is suddenly root.  Of coarse
telnet will refuse access, but anyone in wheel (possibly because of an
invalid character in the gid field), can su to that user (root).  I'm sure
there are other ways of exploit this as well.  Uid 0 should definantly NOT
be the default!

Rick

=========================================================================
Rick Byers                                      Internet Access Worldwide
rickb@iaw.on.ca                                      System Administrator
Welland, Ontario, Canada                                    (905)714-1400
http://www.iaw.on.ca/rickb/                         http://www.iaw.on.ca/