* Andrew Brown <[EMAIL PROTECTED]> [010213 14:38] wrote:
> >When crontab has determined the name of the user calling crontab (using
> >getpwuid()),
> >the login name is stored in a 20 byte buffer using the strcpy() function
> >(which does no bounds checking). 'useradd' (the utility used to add users
> >to the system)
> >however allows usernames of over 20 characters (32 at most on my distribution).
>
> i can see how this is an "issue", but don't you already have to be
> root to get a user name longer than 20 characters? or are you just
> assuming that some admins out there will fail to balk at such a
> strange request?
I vaguely remeber some packages that allow non-root users to add
other non-root users, if the wrapper script/program isn't careful
about limiting the username someone trusted to do account additions
may gain root if this is exploitable.
--
-Alfred Perlstein - [[EMAIL PROTECTED]|[EMAIL PROTECTED]]
"I have the heart of a child; I keep it in a jar on my desk."
