A security hole

terry terry at wsccs.UUCP
Tue Mar 15 12:57:04 AEST 1988 

In article <478 at minya.UUCP>, jc at minya.UUCP (John Chambers) writes:
} In article <722 at rivm05.UUCP>, ccement at rivm.UUCP (Martien F v Steenbergen) writes:
} In article <181 at wsccs.UUCP>, I write:
} > 
} > 	Do NOT write a setuid program that uses getcwd().  The getcwd() call
} > does a popen() of the "pwd" shell command and does not check it's path.
} 
} Also, I'm sure that I'm far from the only one who is getting tired of seeing
} dire warnings like:
} 	The 'cc' command contains a MAJOR security hole; you should delete it
} 	from your system as fast as possible.  I can't tell you what the hole
} 	is, because it would allow any hacker to break into any Unix system in
} 	the world.  Believe me; I know what I'm talking about.
} It's easy enough to make up warnings like these, but many of them turn out
} on investigation to be full of bull; some are in fact fraudulent attempts
} to discredit someone else's useful software.

	Read the source code.  I was simply pointing out something you should
be aware of.  The fix, if you haven't figured it out for yourself yet, is to
simply force the path for pwd.  I was simply suggesting that AT&T fix it.

} Anyhow, what can one do with getcwd() or popen() within a setuid program
} (root or otherwise) that isn't a consequence of the search path?

	Nothing.  That's not the point.  How do you specify the PATH env
variable from within your C program?  Inquiring minds want to know...
the who point, I thought, of this bugs forum, was to bring bugs to the
attention of the people in charge of removing them.

}                                                                   If there
} is a real security hole here, I'd be very interested in reading about it.

	Well... how do _you_ do a mknod under sys5?  Is it a suid root program
on _your_ system, like everone elses, or do you always log in as root?  Do you
determine path via osmosis, or some method unbeknownst to us?  If not, it's
a problem.

	When all else fails, consult the source code.

| Terry Lambert           UUCP: ...!{ decvax, ihnp4 }...                      |
| @ Century Software       or : ...utah-cs!uplherc!sp7040!obie!wsccs!terry    |
| SLC, Utah                                                                   |
|                   These opinions are not my companies, but if you find them |
|                   useful, send a $20.00 donation to Brisbane Australia...   |
| 'There are monkey boys in the facility.  Do not be alarmed; you are secure' |

More information about the Comp.bugs.sys5 mailing list