Path: utzoo!utgpu!water!watmath!clyde!ima!minya!jc From: jc@minya.UUCP (John Chambers) Newsgroups: comp.bugs.sys5 Subject: Re: A security hole Message-ID: <478@minya.UUCP> Date: 9 Mar 88 17:08:28 GMT References: <181@wsccs.UUCP> <722@rivm05.UUCP> Organization: home Lines: 42 In article <722@rivm05.UUCP>, ccement@rivm.UUCP (Martien F v Steenbergen) writes: > In article <181@wsccs.UUCP>, terry@wsccs.UUCP (terry) writes: > > > > Do NOT write a setuid program that uses getcwd(). The getcwd() call > > does a popen() of the "pwd" shell command and does not check it's path. This > > means that someone could write their own pwd and execute the command from > > their directory, thus gaining root access via a sh -c. > > First of all, by writing a setuid program you automatically open > the security hole and you are likely to fall in. You must always > be suspicious of any setuid program. Uh, I'm not sure I believe all this. I mean, I understand why root should never include "." or any world-writable directories in its search path. Does your unspecified hole amount to anything more than this? If so, you aren't saying anything at all about getcwd() or popen(), just about search paths. > Second, when you really need a setuid program you'll have to check a lot > of permissions etc. yourself. This adds to my conviction that someone doesn't know what they're talking about. Do you perhaps mean "setuid-root"? If so, you are of course correct. If you don't understand my point, you don't know enough about Unix security to pontificate on the subject. Also, I'm sure that I'm far from the only one who is getting tired of seeing dire warnings like: The 'cc' command contains a MAJOR security hole; you should delete it from your system as fast as possible. I can't tell you what the hole is, because it would allow any hacker to break into any Unix system in the world. Believe me; I know what I'm talking about. It's easy enough to make up warnings like these, but many of them turn out on investigation to be full of bull; some are in fact fraudulent attempts to discredit someone else's useful software. Anyhow, what can one do with getcwd() or popen() within a setuid program (root or otherwise) that isn't a consequence of the search path? If there is a real security hole here, I'd be very interested in reading about it. -- John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)