A security hole
terry
terry at wsccs.UUCP
Tue Mar 15 12:57:04 AEST 1988
In article <478 at minya.UUCP>, jc at minya.UUCP (John Chambers) writes:
} In article <722 at rivm05.UUCP>, ccement at rivm.UUCP (Martien F v Steenbergen) writes:
} In article <181 at wsccs.UUCP>, I write:
} >
} > Do NOT write a setuid program that uses getcwd(). The getcwd() call
} > does a popen() of the "pwd" shell command and does not check it's path.
}
} Also, I'm sure that I'm far from the only one who is getting tired of seeing
} dire warnings like:
} The 'cc' command contains a MAJOR security hole; you should delete it
} from your system as fast as possible. I can't tell you what the hole
} is, because it would allow any hacker to break into any Unix system in
} the world. Believe me; I know what I'm talking about.
} It's easy enough to make up warnings like these, but many of them turn out
} on investigation to be full of bull; some are in fact fraudulent attempts
} to discredit someone else's useful software.
Read the source code. I was simply pointing out something you should
be aware of. The fix, if you haven't figured it out for yourself yet, is to
simply force the path for pwd. I was simply suggesting that AT&T fix it.
} Anyhow, what can one do with getcwd() or popen() within a setuid program
} (root or otherwise) that isn't a consequence of the search path?
Nothing. That's not the point. How do you specify the PATH env
variable from within your C program? Inquiring minds want to know...
the who point, I thought, of this bugs forum, was to bring bugs to the
attention of the people in charge of removing them.
} If there
} is a real security hole here, I'd be very interested in reading about it.
Well... how do _you_ do a mknod under sys5? Is it a suid root program
on _your_ system, like everone elses, or do you always log in as root? Do you
determine path via osmosis, or some method unbeknownst to us? If not, it's
a problem.
When all else fails, consult the source code.
| Terry Lambert UUCP: ...!{ decvax, ihnp4 }... |
| @ Century Software or : ...utah-cs!uplherc!sp7040!obie!wsccs!terry |
| SLC, Utah |
| These opinions are not my companies, but if you find them |
| useful, send a $20.00 donation to Brisbane Australia... |
| 'There are monkey boys in the facility. Do not be alarmed; you are secure' |
More information about the Comp.bugs.sys5
mailing list