Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.3 alpha 4/3/85; site ukma.UUCP
Path: utzoo!watmath!clyde!cbosgd!ukma!sean
From: sean@ukma.UUCP (Sean Casey)
Newsgroups: net.sources.bugs
Subject: Security bug in batch system
Message-ID: <1890@ukma.UUCP>
Date: Sat, 22-Jun-85 19:38:44 EDT
Article-I.D.: ukma.1890
Posted: Sat Jun 22 19:38:44 1985
Date-Received: Mon, 24-Jun-85 02:48:44 EDT
Organization: The White Tower @ The Univ. of KY
Lines: 30


There is a major security bug in the batch system posted by Len Lalonde
in <14907@watmath.UUCP>.  Batch.c runs setuid root, but does not check any
files given to it as arguments for access permissions. Thus it becomes
possible to read any file on the system by specifying it as the shell file
argument to batch.

The patch to fix this bug follows:


*** batch.c.orig	Tue Jun 18 12:29:18 1985
--- batch.c	Tue Jun 18 21:33:25 1985
***************
*** 156,161
  
  		if(argv[i][0] == '-')
  			continue;
  		if((input = fopen(argv[i], "r")) == NULL) {
  			perror(argv[i]);
  			cleanup();

--- 164,171 -----
  
  		if(argv[i][0] == '-')
  			continue;
+ 		if(access(argv[i],R_OK) != 0)
+ 			setuid(getuid());
  		if((input = fopen(argv[i], "r")) == NULL) {
  			perror(argv[i]);
  			cleanup();