Path: utzoo!mnetor!uunet!seismo!sundc!pitstop!sun!decwrl!labrea!aurora!eos!ames!hao!husc6!tut.cis.ohio-state.edu!ut-sally!utah-cs!utah-gr!uplherc!sp7040!obie!wsccs!terry
From: terry@wsccs.UUCP (terry)
Newsgroups: comp.bugs.sys5
Subject: A security hole
Message-ID: <181@wsccs.UUCP>
Date: 23 Feb 88 04:44:07 GMT
Lines: 13
Summary: More glorius bugs


	Do NOT write a setuid program that uses getcwd().  The getcwd() call
does a popen() of the "pwd" shell command and does not check it's path.  This
means that someone could write their own pwd and execute the command from
their directory, thus gaining root access via a sh -c.


| Terry Lambert           UUCP: ...!decvax!utah-cs!century!terry              |
| @ Century Software       or : ...utah-cs!uplherc!sp7040!obie!wsccs!terry    |
| SLC, Utah                                                                   |
|                   These opinions are not my companies, but if you find them |
|                   useful, send a $20.00 donation to Brisbane Australia...   |
| 'There are monkey boys in the facility.  Do not be alarmed; you are secure' |