[4619] in bugtraq
Re: Generic wrapper
daemon@ATHENA.MIT.EDU (David Holland)
Sat May 31 01:00:14 1997
Date: Fri, 30 May 1997 18:40:27 -0400
Reply-To: David Holland <dholland@EECS.HARVARD.EDU>
From: David Holland <dholland@EECS.HARVARD.EDU>
X-To: jrozes@tcs.tufts.edu
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <9705301538.ZM7523@gumbo.tcs.tufts.edu> from "Jonathan Rozes" at
May 30, 97 03:38:49 pm
> One caveat: this wrapper will break programs with symbolic links
> that perform different functions of the wrapped program (like
> sendmail, which has links for mailq and newaliases). This is
> because the wrapper resets argv[0] to the name of the wrapper
> program before executing the wrapped program.
This is because of programs that do things like
execve(argv[0], argv, environ);
when running setuid. (Since argv[0] can be set by the parent process,
it's trivial to set it to /bin/sh and thus get a shell.)
> IRIX users will get nastily bit if they wrap /sbin/df, because /etc/devnm
> (a symlink to df) will produce wierd results, causing the boot sequence to
> fail to create the root device links /dev/root and /dev/rroot, along with
> any tape device links. Your system will still boot normally, but you won't
> have access to your tape drives and the system will claim that the root
> filesystem is not mounted.
Oy. Does this mean that if you ln -s /sbin/df /tmp/devnm and run
/tmp/devnm that it will hose the system?
--
- David A. Holland | VINO project home page:
dholland@eecs.harvard.edu | http://www.eecs.harvard.edu/vino
