Path: utzoo!mnetor!uunet!mcvax!inria!imag!berger
From: berger@imag.UUCP (Gilles BERGER SABBATEL)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <2613@imag.UUCP>
Date: 29 Feb 88 15:49:33 GMT
References: <181@wsccs.UUCP>
Reply-To: berger@imag.UUCP (Gilles BERGER SABBATEL)
Organization: IMAG, University of Grenoble, France
Lines: 20

In article <181@wsccs.UUCP> terry@wsccs.UUCP (terry) writes:
>
>	Do NOT write a setuid program that uses getcwd().  The getcwd() call
>does a popen() of the "pwd" shell command and does not check it's path.  This
>means that someone could write their own pwd and execute the command from
>their directory, thus gaining root access via a sh -c.

I am not sure this is a real problem.  As far as I know, pwd is built in
the standard sys V shell.  Whenever you try to execute pwd, the builtin
command is executed, even if there is another pwd in your path.

The only way to execute another pwd is to give explicitely its full
pathname (ex: ./pwd), so I think that getcwd() is quite secure.
Obviously, the problem could exist if /bin/sh were not the standard sys V
shell.
-- 
Gilles BERGER SABBATEL
IMAG-TIM3/INPG, 46 Avenue Felix Viallet, F-38031 GRENOBLE CEDEX - FRANCE
Tel: 76 47 98 55 Ext: 606
UUCP: ...!seismo!mcvax!inria!archi!berger or: berger@archi