Subject: Re: Security problem with pkgsrc/mail/majordomo
To: None <phoffman@proper.com>
From: Brook Milligan <brook@biology.nmsu.edu>
List: tech-pkg
Date: 03/09/2000 14:55:50
I've had a moment to look into this more and have come across the
following issues.

   I think either no -p option or -p *, followed by a warning, is fine. I do 
   *not* think that the default shell should be anything other than 
   /sbin/nologin, even if -p * is specified. If someone is going to take the 
   unlikely step of allowing someone to log in as majordom, they can make the 
   shell change in vipw.

First, validpassword() in addnerd.c will not accept the -p "*"
option, because it is too short.  Simple fix, of course, is a test for
that password and deem it valid.  Should this be added to addnerd?

Second, validshell() in addnerd.c uses getusershell() (which reads
/etc/shells) to check the argument of -s against.  /sbin/nologin is
not in /etc/shells, so this also fails.  Two possible fixes:  1) add
an explicit check for /sbin/nologin; 2) add /sbin/nologin to
/etc/shells.  Should either of these be added to addnerd?

Until then a workaround is to use a longer argument (13 *s) for -p and
be satisfied with a shell of /bin/sh (which is what happens when -s
/sbin/nologin is used).

Should we fix addnerd and/or /etc/shells or go with the workaround?

Cheers,
Brook