Path: utzoo!mnetor!uunet!lll-winken!lll-lcc!ames!nrl-cmf!mailrus!tut.cis.ohio-state.edu!ut-sally!utah-cs!utah-gr!uplherc!sp7040!wsccs!terry
From: terry@wsccs.UUCP (terry)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <319@wsccs.UUCP>
Date: 15 Mar 88 02:57:04 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP>
Lines: 44
Summary: Use the source, Luke

In article <478@minya.UUCP>, jc@minya.UUCP (John Chambers) writes:
} In article <722@rivm05.UUCP>, ccement@rivm.UUCP (Martien F v Steenbergen) writes:
} In article <181@wsccs.UUCP>, I write:
} > 
} > 	Do NOT write a setuid program that uses getcwd().  The getcwd() call
} > does a popen() of the "pwd" shell command and does not check it's path.
} 
} Also, I'm sure that I'm far from the only one who is getting tired of seeing
} dire warnings like:
} 	The 'cc' command contains a MAJOR security hole; you should delete it
} 	from your system as fast as possible.  I can't tell you what the hole
} 	is, because it would allow any hacker to break into any Unix system in
} 	the world.  Believe me; I know what I'm talking about.
} It's easy enough to make up warnings like these, but many of them turn out
} on investigation to be full of bull; some are in fact fraudulent attempts
} to discredit someone else's useful software.

	Read the source code.  I was simply pointing out something you should
be aware of.  The fix, if you haven't figured it out for yourself yet, is to
simply force the path for pwd.  I was simply suggesting that AT&T fix it.

} Anyhow, what can one do with getcwd() or popen() within a setuid program
} (root or otherwise) that isn't a consequence of the search path?

	Nothing.  That's not the point.  How do you specify the PATH env
variable from within your C program?  Inquiring minds want to know...
the who point, I thought, of this bugs forum, was to bring bugs to the
attention of the people in charge of removing them.

}                                                                   If there
} is a real security hole here, I'd be very interested in reading about it.

	Well... how do _you_ do a mknod under sys5?  Is it a suid root program
on _your_ system, like everone elses, or do you always log in as root?  Do you
determine path via osmosis, or some method unbeknownst to us?  If not, it's
a problem.

	When all else fails, consult the source code.

| Terry Lambert           UUCP: ...!{ decvax, ihnp4 }...                      |
| @ Century Software       or : ...utah-cs!uplherc!sp7040!obie!wsccs!terry    |
| SLC, Utah                                                                   |
|                   These opinions are not my companies, but if you find them |
|                   useful, send a $20.00 donation to Brisbane Australia...   |
| 'There are monkey boys in the facility.  Do not be alarmed; you are secure' |