Subject: bin/31914: hardcoded UID for NOBODY in atrun.h
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org>
From: None <feico@pasta.cs.uit.no>
List: netbsd-bugs
Date: 10/25/2005 08:32:00
>Number: 31914
>Category: bin
>Synopsis: hardcoded UID for NOBODY in atrun.h
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: bin-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue Oct 25 08:32:00 +0000 2005
>Originator: Feico W. Dillema
>Release: NetBSD versions since 1998 (at least)
>Organization:
Invenia A.S.
>Environment:
System: NetBSD home.pasta.cs.uit.no 1.6.2_STABLE NetBSD 1.6.2_STABLE (HOME) #13: Sun Feb 27 15:31:27 CET 2005 root@home.pasta.cs.uit.no:/home/sources/netbsd-1.6.x/sys/arch/i386/compile/HOME i386
Architecture: i386
Machine: i386
>Description:
hardcoded UID for NOBODY in atrun.h:
#define NOBODY_UID 32767
#define NOBODY_GID 32767
when user nobody in the passwd file is set to another uid, the at utility will
not run as user nobody. Even though unlikely, I think this could cause
(security) trouble when a sysadmin decides to be creative. Normally, user
nobody is set to uid 32767 but I have seen no mention that 32767 is special and
reserved and always mapped to user nobody in the manual pages. If it is special
and reserved (which I doubt to be the case in NetBSD), it should be mentioned
in the manpages of chown and vipw should probably prohibit changing it.
>How-To-Repeat:
>Fix: