A security hole
Gilles BERGER SABBATEL
berger at imag.UUCP
Tue Mar 1 01:49:33 AEST 1988
In article <181 at wsccs.UUCP> terry at wsccs.UUCP (terry) writes:
>
> Do NOT write a setuid program that uses getcwd(). The getcwd() call
>does a popen() of the "pwd" shell command and does not check it's path. This
>means that someone could write their own pwd and execute the command from
>their directory, thus gaining root access via a sh -c.
I am not sure this is a real problem. As far as I know, pwd is built in
the standard sys V shell. Whenever you try to execute pwd, the builtin
command is executed, even if there is another pwd in your path.
The only way to execute another pwd is to give explicitely its full
pathname (ex: ./pwd), so I think that getcwd() is quite secure.
Obviously, the problem could exist if /bin/sh were not the standard sys V
shell.
--
Gilles BERGER SABBATEL
IMAG-TIM3/INPG, 46 Avenue Felix Viallet, F-38031 GRENOBLE CEDEX - FRANCE
Tel: 76 47 98 55 Ext: 606
UUCP: ...!seismo!mcvax!inria!archi!berger or: berger at archi
More information about the Comp.bugs.sys5
mailing list