Security loopholes
gwyn%brl-vld at sri-unix.UUCP
gwyn%brl-vld at sri-unix.UUCP
Fri Jul 1 17:11:32 AEST 1983
From: Doug Gwyn (VLD/VMB) <gwyn at brl-vld>
People here showed me a couple of things that should be checked carefully
in every piece of security-related system utility code:
(1) A program can be exec'ed with argc==0 ; make sure this doesn't cause
any problems.
(2) A program can be exec'ed with some of fd's 0, 1, and 2 closed; this
may cause unexpected problems. For example:
/*
passwd -- password changing utility [EXAMPLE]
*/
#include <stdio.h>
main()
{
FILE *pw_out = fopen( "/etc/passwd.new", "w" );
FILE *pw_in = fopen( "/etc/passwd", "r" );
printf( "New password: " );
... /* get password from stdin */
... /* having checked it, copy pw_in to pw_out changing user's data */
rename( "/etc/passwd.new", "/etc/passwd" );
exit( 0 );
}
Now, consider what happens if this program is run with fd 1
closed. pw_out would be opened with fd 1, and the printf()
would clobber root's data in the newly-constructed password file.
Of course, there are fixes in this particular case (and it may
not even work like that in practice) but the point should be clear.
More information about the Comp.unix.wizards
mailing list