[450] in bugtraq
Re: 8lgm's SCO "at" hole
daemon@ATHENA.MIT.EDU (Karl Strickland)
Fri Dec 9 18:35:01 1994
From: Karl Strickland <karl@bagpuss.demon.co.uk>
To: Justin Mason <jmason@iona.ie>
Date: Fri, 9 Dec 1994 21:05:14 +0000 (GMT)
Cc: bugtraq@fc.net
In-Reply-To: <199412091249.MAA29464@destructor.iona.ie> from "Justin Mason" at Dec 9, 94 12:49:22 pm
>
> [8lgm]-Advisory-10-EXPLOIT describes a hole where a setgid program runs
> /bin/pwd with popen(3).
>
> In case you don't know, this is the way that SunOS, as well as SCO,
> performs the getcwd() call. Other versions of UNIX may also implement
> it this way, although Solaris' getwd() doesn't (sorry folks -- don't
> have enough UNIX machines with trace commands!).
>
> trace/truss -f this C code to check:
>
> #include <stdio.h>
> main () { char x[1024]; getcwd(x, 1024); printf ("%s", x); }
>
> If you see a fork or vfork, your getcwd runs /bin/pwd.
>
> If you have any setuid programs that call getcwd(), make sure they
> sanitise their environment beforehand. Another thing to watch out
> for...
AFAIK, getcwd(3) always calls /bin/pwd; but getwd(2) is a system call.
getcwd() is only provided for backwards compatibility; i suppose all new
code should be using getwd(2).
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD | Karl Strickland
PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk
|
