3b1 security and removal of ua

David B. Thomas dt at yenta.alb.nm.us
Wed Apr 10 15:46:06 AEST 1991

jon at jonlab.UUCP (Jon H. LaBadie) writes:

>EXCEPT, one of the arguments to eprintf(3T) is what to do when the
>user clicks on the icon.  And one of the possibilities is ST_EXEC;
>execute a program!!!

>Guess which user id, and in which directory the program is executed;
>You security hounds are right: by root and in the root directory.

Actually, with the stock /etc/rc script, the current directory is
/etc/lddrv when /etc/smgr is started.  smgr is the program that reads
/dev/error and puts up the icon, and it is to blame for the hole.

Lenny Tropiano was aware of this hole in a slightly different form:
if smgr puts up an envelope, indicating you have mail, and you click on
the icon, it starts up /bin/main, as root, with /etc/lddrv as the
current directory.  Imagine my confusion when, after typing "s" to save
a mail message, it wasn't in my home directory, but instead was eventually
found, owned by root, in /etc/lddrv!!  Anyway, Lenny's solution was to
write his own email program, which takes care of the permissions and
stuff.  It's called email<something>, and it's in osu-cis.

>So, essentially, anyone with access to your C compiler has access to
>your entire machine!

As someone else already pointed out, they have to get at the console to
exploit this hole, and anyone with access to your console can boot it from
a floppy and do anything they want!!

I don't use smgr anyway.  It's handy, but now that I have mgr, I can
cheerfully say goodbye to wind.o and everything associated with it.
Hmmm.... anybody know if I can remove the tam stuff from the shared
library.  Since I don't load the window driver I can't possibly use it.

By the way, my mgr hacks are coming along.  Soon, I expect to release
some diffs so it blanks automatically after a period of time, and I'm
working on some faster bit blits in assembler.  This baby oughta scream!

					little david
Robert Thomas, speaking of good software for Unix vs. MsDos:
    "Quality is either the result of a whole lot of dedication,
    or it's a thin layer of cream on top of a whole lot of milk."

More information about the Comp.sys.3b1 mailing list