Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!ut-sally!ghostwheel!jbc
From: jbc@ghostwheel.UUCP (John Chambers)
Newsgroups: net.bugs.4bsd
Subject: Re: tip shell escape (4.3BSD)
Message-ID: <24@ghostwheel.UUCP>
Date: Thu, 21-Aug-86 18:04:45 EDT
Article-I.D.: ghostwhe.24
Posted: Thu Aug 21 18:04:45 1986
Date-Received: Thu, 21-Aug-86 22:26:05 EDT
References: <600@varian.UUCP>
Distribution: net
Organization: MCC Database Program, Austin, Texas
Lines: 41



Let's suppose you have the typical setuid/gid tip.

Cf. 	/usr/src/usr.bin/tip/tip.c	at or around line 137
	.
	.
	gid = getgid();
	egid = getegid();
	uid = getuid();
	euid = geteuid();
	setregid(egid, gid);
	setreuid(euid, uid);
	.
	.
and 	/usr/src/bin/csh/sh.c		at or around line 209
	.
	.
	if (!batch && (uid != geteuid() || getgid() != getegid())) {
		errno = EACCES;
		child++;			/* So this ... */
		Perror("csh");			/* ... doesn't return */
	}
	.
	.

We argued that tip should reset uid's before exec'ing a shell and that
we like csh as it is, and hence added something to the effect of:

	setregid( gid, gid );
	setreuid( uid, uid );

in the suitable places in /usr/src/usr.bin/tip/cmd.c ....

--------
J.B. Chambers

snail:	MCC/Database, P.O. Box 200195, Austin TX 78720 USA
arpa:	jbc@sally.utexas.edu, db.chambers@mcc.com
uucp:	{gatech,harvard,ihnp4,seismo,pyramid,...}!ut-sally!{,ghostwheel!}jbc
voice:	512 343 0860