[922] in linux-security and linux-alert archive
Re: [linux-security] sliplogin
daemon@ATHENA.MIT.EDU (Wietse Venema)
Wed Jul 17 12:51:42 1996
From: wietse@wzv.win.tue.nl (Wietse Venema)
To: marshalj@spots.ab.ca (Jason Marshall)
Date: Wed, 17 Jul 96 18:22:52 MET DST
Cc: dholland@hcs.HARVARD.EDU, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960716110840.14386E-100000@cheetah.spots.ab.ca>; from "Jason Marshall" at Jul 16, 96 11:12 am
Jason Marshall wrote:
>
> > It does
> > setuid(0);
> > if (s = system(logincmd)) {
> > :
> > }
> > without clearing the environment first. Therefore, anybody can get
> > root trivially.
>
> Ok, my interest has been piqued for a while now, but I've just never
> asked. Is there a list somewhere of ALL the things that really should
> be done or looked for when writing code segments that are seteuid(0)?
> I know SOME of the things to do, but I've yet to see a comprehensive
> list. I am quite sure there are many C coders out there who either a)
> don't know what to do, or b) wouldn't mind some confirmation that they
> are/have been doing the right things.
>
> This is particularly in reference to system() calls, and/or the replacing
> of those calls with safer code.
The list of things being passed in via exec() is system dependent.
- environment
- priority
- file descriptors, including read/write offsets and streams modules
- real/effective/etc uid/gid/luid
- current working directory
- controlling tty (for signaling)
- what signals are being ignored
- any pending alarm signals
- parent process id
- time of day
This is just off the top of my head, so no doubt it is incomplete.
Wietse