[922] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] sliplogin

daemon@ATHENA.MIT.EDU (Wietse Venema)
Wed Jul 17 12:51:42 1996

From: wietse@wzv.win.tue.nl (Wietse Venema)
To: marshalj@spots.ab.ca (Jason Marshall)
Date: Wed, 17 Jul 96 18:22:52 MET DST
Cc: dholland@hcs.HARVARD.EDU, linux-security@tarsier.cv.nrao.edu
In-Reply-To: <Pine.LNX.3.91.960716110840.14386E-100000@cheetah.spots.ab.ca>; from "Jason Marshall" at Jul 16, 96 11:12 am

Jason Marshall wrote:
> 
> > It does
> > 	setuid(0);
> > 	if (s = system(logincmd)) {
> > 	   :
> > 	}
> > without clearing the environment first. Therefore, anybody can get
> > root trivially.
> 
> Ok, my interest has been piqued for a while now, but I've just never 
> asked.  Is there a list somewhere of ALL the things that really should 
> be done or looked for when writing code segments that are seteuid(0)?
> I know SOME of the things to do, but I've yet to see a comprehensive 
> list.  I am quite sure there are many C coders out there who either a) 
> don't know what to do, or b) wouldn't mind some confirmation that they 
> are/have been doing the right things.
> 
> This is particularly in reference to system() calls, and/or the replacing 
> of those calls with safer code.

The list of things being passed in via exec() is system dependent. 

- environment

- priority

- file descriptors, including read/write offsets and streams modules

- real/effective/etc uid/gid/luid

- current working directory

- controlling tty (for signaling)

- what signals are being ignored

- any pending alarm signals

- parent process id

- time of day

This is just off the top of my head, so no doubt it is incomplete.

	Wietse

home help back first fref pref prev next nref lref last post