A security hole
Mark Buda
hermit at chessene.UUCP
Mon Mar 14 05:55:25 AEST 1988
In article <478 at minya.UUCP>, jc at minya.UUCP (John Chambers) writes:
>
> Uh, I'm not sure I believe all this. I mean, I understand why root should
> never include "." or any world-writable directories in its search path.
> [stuff] If so, you
> aren't saying anything at all about getcwd() or popen(), just about search
> paths.
>
> Anyhow, what can one do with getcwd() or popen() within a setuid program
> (root or otherwise) that isn't a consequence of the search path? If there
> is a real security hole here, I'd be very interested in reading about it.
>
> John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)
Root's search path has nothing to do with setuid-root programs - they
get their path from the process that invokes them, so you don't have any
control over the search path (unless you explicitly change it in your
setuid program - but how many people think of doing that?)
--
Mark Buda, The Embattled Hermit Domain: hermit at chessene.uucp
Dumb: ...{rutger,ihnp4,cbosgd}!bpa!vu-vlsi!devon!chessene!hermit
"Dr. Johnson, can you come over right away? My father has a hibachi on his
head."
More information about the Comp.bugs.sys5
mailing list