Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!cbatt!cbosgd!mirror!sources-request From: sources-request@mirror.UUCP Newsgroups: mod.sources Subject: v07i090: Find security holes in shell-escapes Message-ID: <775@mirror.TMC.COM> Date: Wed, 10-Dec-86 13:46:16 EST Article-I.D.: mirror.775 Posted: Wed Dec 10 13:46:16 1986 Date-Received: Sun, 14-Dec-86 06:37:28 EST Sender: rs@mirror.TMC.COM Lines: 210 Approved: mirror!rs Submitted by: ihnp4!utzoo!hcr!hcrvx1!hugh Mod.sources: Volume 7, Issue 90 Archive-name: forktest I would like to submit the following program to mod.sources. I hope that the comments are sufficient explanation. I don't see that a manual is worthwhile. I have run this program under System V and Version 7. I have not tested it under BSD, but I know of no impediment. With this program, I have found bugs in a number of UNIX System V utilities. I am sure that BSD programs would be just as buggy, but I haven't tested them. Here are some examples: Programs that leave extra file descriptors open: sdb ! command mailx ~! command during message composition, and ! command (two extra) mail ! command rn ! or | command (5 extra!) cu ~! command (one extra: number 5) Programs that leave signals ignored: mailx ~! command (SIGINT!) rn ! and | commands (SIGEMT!?) I think that this list shows that it is easy to get fork(2) wrong. I hope programmers will use ForkTest to catch this type of bug early. Exercise for the reader: what can you scribble on with those extra file descriptors? Hugh Redelmeier (416) 922-1937 utzoo!hcr!hugh [ I wrote the Makefile and README. --r$ ] ----------CUT HERE---------- #! /bin/sh # This is a shell archive. Remove anything before this line, # then unpack it by saving it in a file and typing "sh file". # If all goes well, you will see the message "End of shell archive." # Contents: Makefile README forktest.c # Wrapped by rs@mirror on Wed Dec 10 13:44:46 1986 PATH=/bin:/usr/bin:/usr/ucb; export PATH echo shar: extracting "'Makefile'" '(52 characters)' if test -f 'Makefile' ; then echo shar: will not over-write existing file "'Makefile'" else sed 's/^X//' >Makefile <<'@//E*O*F Makefile//' X Xforktest: forktest.c X $(CC) $(CFLAGS) -o forktest X @//E*O*F Makefile// if test 52 -ne "`wc -c <'Makefile'`"; then echo shar: error transmitting "'Makefile'" '(should have been 52 characters)' fi fi # end of overwriting check echo shar: extracting "'README'" '(253 characters)' if test -f 'README' ; then echo shar: will not over-write existing file "'README'" else sed 's/^X//' >README <<'@//E*O*F README//' X X[ This program is designed to be called by programs that allow X shell escapes. It prints out the argc,argv parameters, and X lists the disposition of signals, alarm calls, etc. The fun X part is when it lists the open file descriptors... -r$ ] @//E*O*F README// if test 253 -ne "`wc -c <'README'`"; then echo shar: error transmitting "'README'" '(should have been 253 characters)' fi fi # end of overwriting check echo shar: extracting "'forktest.c'" '(3059 characters)' if test -f 'forktest.c' ; then echo shar: will not over-write existing file "'forktest.c'" else sed 's/^X//' >forktest.c <<'@//E*O*F forktest.c//' X/* Fork Test: display args, open files, signals, etc. X * X * Simple as this program is, it has found bugs in the X * way a number of programs fork off children. To test X * how a program is invoking its children, run this X * program as a child. X * X * Generally, processes should be created with: X * X * - a reasonable arg count & list X * - arg 0 should look like the name of the command X * X * - real and effective UIDs and GIDs should be reasonable. X * Beware setuid programs that fork children! X * X * - no pending alarm. Version 7 apparently does not X * reset alarms upon an exec! X * X * - file descriptors 0 (STDIN), 1 (STDOUT), and 2 (STDERR) X * opened reasonably X * - all other file descriptors closed (this program will X * describe all open channels) X * X * - all signals (except SIGKILL) set to SIG_DFL (this X * program will print all signals set otherwise) X * X * The output is fairly simple to understand. When in X * doubt, read the code (and a UNIX manual: exec(2), X * getuid(2), alarm(2), signal(2), stat(2)). X * X * Room for Improvement: X * X * - strings should be printed in a way that shows funny characters. X * - show misc. other bits of state X * - PID (who cares?) X * - umask X * - ulimit (System V) X * - stty settings of open TTYs X * X * Copyright (c) 1986 March 11 D. Hugh Redelmeier X * X * This program may be distributed and used without restriction. X */ X X#include X Xextern unsigned alarm(); /* should be unsigned, but may be int */ X X#include X#include X Xstruct stat sb; X X#include Xextern int errno; Xextern char *sys_errlist[]; X X#include X Xint (*signal())(); X Xmain(argc, argv, envp) Xint argc; Xchar **argv, **envp; X{ X register int i; X unsigned al = alarm(0); /* get it while it is hot */ X X printf("%d arg(s):", argc); X for (i=0; i>12); X break; X } X } X X printf("Signals:\n"); X for (i=1; i!=40; i++) { /* I hope 40 is enough. */ X register int n = (int) signal(i, SIG_IGN); X switch (n) { X case -1: X case SIG_DFL: X break; X case SIG_IGN: X printf("\t%d: SIG_IGN\n", i); X break; X default: X printf("\t%d: %d\n", i, n); X break; X } X } X X printf("Environment:\n"); X for (i=0; envp[i]!=NULL; i++) X printf("\t\"%s\"\n", envp[i]); X X exit(0); X} @//E*O*F forktest.c// if test 3059 -ne "`wc -c <'forktest.c'`"; then echo shar: error transmitting "'forktest.c'" '(should have been 3059 characters)' fi fi # end of overwriting check echo shar: "End of shell archive." exit 0