Path: utzoo!mnetor!uunet!mcvax!enea!luth!cad!sow
From: sow@cad.luth.se (Sven-Ove Westberg)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <995@luth.luth.se>
Date: 5 Mar 88 12:17:11 GMT
References: <181@wsccs.UUCP> <2613@imag.UUCP>
Sender: news@sm.luth.se
Reply-To: sow@cad.luth.se (Sven-Ove Westberg)
Organization: University of Lulea, Sweden
Lines: 32

In article <2613@imag.UUCP> berger@imag.UUCP (Gilles BERGER SABBATEL) writes:
|In article <181@wsccs.UUCP> terry@wsccs.UUCP (terry) writes:
|>
|>	Do NOT write a setuid program that uses getcwd().  The getcwd() call
|>does a popen() of the "pwd" shell command and does not check it's path.  This
|>means that someone could write their own pwd and execute the command from
|>their directory, thus gaining root access via a sh -c.
|
|I am not sure this is a real problem.  As far as I know, pwd is built in
|the standard sys V shell.  Whenever you try to execute pwd, the builtin
|command is executed, even if there is another pwd in your path.
|
|The only way to execute another pwd is to give explicitely its full
|pathname (ex: ./pwd), so I think that getcwd() is quite secure.
|Obviously, the problem could exist if /bin/sh were not the standard sys V
|shell.
|-- 
|Gilles BERGER SABBATEL
|IMAG-TIM3/INPG, 46 Avenue Felix Viallet, F-38031 GRENOBLE CEDEX - FRANCE
|Tel: 76 47 98 55 Ext: 606
|UUCP: ...!seismo!mcvax!inria!archi!berger or: berger@archi


This IS a security hole and it has nothing to do with if pwd is
built in or not. I will NOT explain in detail how you do. Terry
didn't see the real security hole.


Sven-Ove Westberg, CAD, University of Lulea, S-951 87 Lulea, Sweden.
Tel:     +46-920-91677  (work)                 +46-920-48390  (home)
UUCP:    {uunet,mcvax}!enea!cad.luth.se!sow
Internet: sow@cad.luth.se