Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!utcs!mnetor!seismo!lll-crg!lll-lcc!unisoft!mtxinu!rtech!jas
From: jas@rtech.UUCP
Newsgroups: net.unix-wizards
Subject: Re: so who has mkdir and rmdir for system V
Message-ID: <327@rtech.UUCP>
Date: Sun, 13-Jul-86 18:16:22 EDT
Article-I.D.: rtech.327
Posted: Sun Jul 13 18:16:22 1986
Date-Received: Mon, 14-Jul-86 22:32:35 EDT
References: <1885@brl-smoke.ARPA> <6179@elsie.UUCP>
Reply-To: jas@rtech.UUCP (Jim Shankland)
Organization: Relational Technology Inc, Alameda CA
Lines: 14
Summary: need bullet proof, not just idiot proof

Keywords:


Regarding "idiot proofing" a mkdir library routine:  code like this

		if ((fp = popen("sh", "w")) == NULL)
			return -1;
		(void) fputs("mkdir 2>&- '", fp);

is a security problem for setuid-root (or setuid-anybody) programs
that want to call it.  "/bin/sh" and "/bin/mkdir" should be specified,
for reasons that should be clear.

Jim Shankland
 ..!ihnp4!cpsc6a!\
		  rtech!jas
..!ucbvax!mtxinu!/