A security hole
John Chambers
jc at minya.UUCP
Thu Mar 10 03:08:28 AEST 1988
In article <722 at rivm05.UUCP>, ccement at rivm.UUCP (Martien F v Steenbergen) writes:
> In article <181 at wsccs.UUCP>, terry at wsccs.UUCP (terry) writes:
> >
> > Do NOT write a setuid program that uses getcwd(). The getcwd() call
> > does a popen() of the "pwd" shell command and does not check it's path. This
> > means that someone could write their own pwd and execute the command from
> > their directory, thus gaining root access via a sh -c.
>
> First of all, by writing a setuid program you automatically open
> the security hole and you are likely to fall in. You must always
> be suspicious of any setuid program.
Uh, I'm not sure I believe all this. I mean, I understand why root should
never include "." or any world-writable directories in its search path.
Does your unspecified hole amount to anything more than this? If so, you
aren't saying anything at all about getcwd() or popen(), just about search
paths.
> Second, when you really need a setuid program you'll have to check a lot
> of permissions etc. yourself.
This adds to my conviction that someone doesn't know what they're talking
about. Do you perhaps mean "setuid-root"? If so, you are of course correct.
If you don't understand my point, you don't know enough about Unix security
to pontificate on the subject.
Also, I'm sure that I'm far from the only one who is getting tired of seeing
dire warnings like:
The 'cc' command contains a MAJOR security hole; you should delete it
from your system as fast as possible. I can't tell you what the hole
is, because it would allow any hacker to break into any Unix system in
the world. Believe me; I know what I'm talking about.
It's easy enough to make up warnings like these, but many of them turn out
on investigation to be full of bull; some are in fact fraudulent attempts
to discredit someone else's useful software.
Anyhow, what can one do with getcwd() or popen() within a setuid program
(root or otherwise) that isn't a consequence of the search path? If there
is a real security hole here, I'd be very interested in reading about it.
--
John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)
More information about the Comp.bugs.sys5
mailing list