Path: utzoo!mnetor!uunet!husc6!bloom-beacon!gatech!udel!burdvax!bpa!cbmvax!vu-vlsi!devon!chessene!hermit
From: hermit@chessene.UUCP (Mark Buda)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <172@chessene.UUCP>
Date: 13 Mar 88 19:55:25 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP>
Organization: Competitive Computer Systems, Lancaster PA
Lines: 24
Summary: what's this nonsense about search paths

In article <478@minya.UUCP>, jc@minya.UUCP (John Chambers) writes:
> 
> Uh, I'm not sure I believe all this.  I mean, I understand why root should
> never include "." or any world-writable directories in its search path.
> [stuff]  If so, you
> aren't saying anything at all about getcwd() or popen(), just about search 
> paths.
> 
> Anyhow, what can one do with getcwd() or popen() within a setuid program
> (root or otherwise) that isn't a consequence of the search path?  If there
> is a real security hole here, I'd be very interested in reading about it.
> 
> John Chambers <{adelie,ima,maynard,mit-eddie}!minya!{jc,root}> (617/484-6393)

Root's search path has nothing to do with setuid-root programs - they
get their path from the process that invokes them, so you don't have any
control over the search path (unless you explicitly change it in your
setuid program - but how many people think of doing that?)

--
Mark Buda, The Embattled Hermit          Domain: hermit@chessene.uucp
Dumb: ...{rutger,ihnp4,cbosgd}!bpa!vu-vlsi!devon!chessene!hermit
"Dr. Johnson, can you come over right away? My father has a hibachi on his
head."