Security hole in xdm in XFree86-1.2, 1.3

Security hole in xdm in XFree86-1.2, 1.3

Post by Ian Jacks » Wed, 01 Sep 1993 05:44:21

I have found that xdm from XFree86-1.2 and 1.3 fails to set the list
of groups correctly under Linux, due to #define'ing GID_T to be int,
rather than gid_t (==short).  This means that only the groups in the
first half of the intended list are actually set, interleaved with
multiple instances of the zero group.

On many systems group 0 is the `system' group, and is able to write to
critical files and/or directories.

I enclose a patch to dm.h in the xdm sources which adds __linux__ to
the list of systems in the #ifdef for using gid_t.  IMHO the correct
answer is to rip out all the horrible group-searching logic and have
xdm call the library function available for exactly this purpose:
initgroups.  However I didn't feel I had sufficient understanding of
xdm's rather tortuous internals to do this right.

The source I have came from the BSD X distribution, but the Linux
binaries I have from XFree86-1.2 and 1.3 both exhibit the same buggy
behaviour.  I don't know whether earlier releases of XFree86/X386 have
the problem.

By the time you read this I will have uploaded a fixed binary to
sunsite and tsx-11.  My PGP2 digital signature of the gzipped binary
is enclosed below.  Note that it has had another alteration made to
make it display the kernel version between the hostname (err, whatever
your normal greeting string is) and login prompt.  If you don't like
it get the source and compile your own :-).

It would be nice if XFree86-2.0 had an xdm that had this bug fixed.

 diff -u dm.h{~,}
 --- dm.h~       Fri Sep 25 04:39:54 1992
 +++ dm.h        Mon Aug 30 12:41:27 1993


  /* setgroups is not covered by POSIX, arg type varies */
 -#if defined(SYSV) || defined(SVR4)
 +#if defined(SYSV) || defined(SVR4) || defined(__linux__)
  #define GID_T gid_t
  #define GID_T int

Version: 2.3a


35 Molewood Close, Cambridge, CB4 3SR, England;  phone: +44 223 327029
PGP2 public key on request; fingerprint = 5906F687 BD03ACAD 0D8E602E FCF37657



1. Security from outside call-ins

I am on a Sun 3/260 running SunOS3.5.  Plugged into Serial Port A
I have a Microcom AX/2400 modem.  Some of the users at my site are
so dedicated that they actually want to be able to do some work
while they are home by way of calling in on their modems! (Can
you believe it?)  

Here's the question:  They (the users) have told me of other
systems they have been on (I believe Vax's) where they were
prompted to enter a system password before they were even asked for
thier own.  This could be some cryptic type of combination of
letters and numbers, making it almost impossible for the average
hacker to break. Anyone have ideas on how I could incorporate this
into my passwd file, but only having it prompt those who are dialing
in on the modem?  This could get to be a real pain if they had to
respond to another password everytime they logged in from a work-
station here at work.  

Then, once the caller successfully types in the system password,
they would still have to enter their own password.  Is such a
thing possible?  Thanks.
Don Cox :=)
UUCP: ..!rutgers!rochester!kodak!fedsys!scotty!dec
DISCLAIMER: The opinions expressed are mine and not of my employer.

2. Need recomendation using Nextstep,Linux,Wind..

3. Security hole in xdm?

4. Gimp no longer runs

5. In search of Solaris 2.5 Netscape Navigator 3.0 plug ins

6. Need help for a network watching tool

7. Need HELP to Log User Log-ins form the internet

8. disable ctrl-Z

9. Suse 7.0; Yast2, kinternet, rc.dialout und ich komme nicht ins Internet

10. Netscape plug-ins on AIX 4

11. what is a INS server?

12. dial ins

13. plug-ins netscape