A security hole
Sven-Ove Westberg
sow at cad.luth.se
Sat Mar 5 22:17:11 AEST 1988
In article <2613 at imag.UUCP> berger at imag.UUCP (Gilles BERGER SABBATEL) writes:
|In article <181 at wsccs.UUCP> terry at wsccs.UUCP (terry) writes:
|>
|> Do NOT write a setuid program that uses getcwd(). The getcwd() call
|>does a popen() of the "pwd" shell command and does not check it's path. This
|>means that someone could write their own pwd and execute the command from
|>their directory, thus gaining root access via a sh -c.
|
|I am not sure this is a real problem. As far as I know, pwd is built in
|the standard sys V shell. Whenever you try to execute pwd, the builtin
|command is executed, even if there is another pwd in your path.
|
|The only way to execute another pwd is to give explicitely its full
|pathname (ex: ./pwd), so I think that getcwd() is quite secure.
|Obviously, the problem could exist if /bin/sh were not the standard sys V
|shell.
|--
|Gilles BERGER SABBATEL
|IMAG-TIM3/INPG, 46 Avenue Felix Viallet, F-38031 GRENOBLE CEDEX - FRANCE
|Tel: 76 47 98 55 Ext: 606
|UUCP: ...!seismo!mcvax!inria!archi!berger or: berger at archi
This IS a security hole and it has nothing to do with if pwd is
built in or not. I will NOT explain in detail how you do. Terry
didn't see the real security hole.
Sven-Ove Westberg, CAD, University of Lulea, S-951 87 Lulea, Sweden.
Tel: +46-920-91677 (work) +46-920-48390 (home)
UUCP: {uunet,mcvax}!enea!cad.luth.se!sow
Internet: sow at cad.luth.se
More information about the Comp.bugs.sys5
mailing list