Re: 8lgm's SCO "at" hole

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Steinar Haug: "Re: 8lgm's SCO "at" hole"
• Previous message: Thomas Roessler: "Re: Race conditions"
• In reply to: Justin Mason: "8lgm's SCO "at" hole"
• Next in thread: Steinar Haug: "Re: 8lgm's SCO "at" hole"

> 
> [8lgm]-Advisory-10-EXPLOIT describes a hole where a setgid program runs
> /bin/pwd with popen(3).
> 
> In case you don't know, this is the way that SunOS, as well as SCO,
> performs the getcwd() call. Other versions of UNIX may also implement
> it this way, although Solaris' getwd() doesn't (sorry folks -- don't
> have enough UNIX machines with trace commands!).
> 
> trace/truss -f this C code to check:
> 
> #include <stdio.h>
> main () { char x[1024]; getcwd(x, 1024); printf ("%s", x); }
> 
> If you see a fork or vfork, your getcwd runs /bin/pwd.
> 
> If you have any setuid programs that call getcwd(), make sure they
> sanitise their environment beforehand. Another thing to watch out
> for...

AFAIK, getcwd(3) always calls /bin/pwd; but getwd(2) is a system call.
getcwd() is only provided for backwards compatibility; i suppose all new
code should be using getwd(2).
------------------------------------------+-----------------------------------
Mailed using ELM on FreeBSD               |                    Karl Strickland
PGP 2.3a Public Key Available.            | Internet: karl@bagpuss.demon.co.uk
                                          |

• Next message: Steinar Haug: "Re: 8lgm's SCO "at" hole"
• Previous message: Thomas Roessler: "Re: Race conditions"
• In reply to: Justin Mason: "8lgm's SCO "at" hole"
• Next in thread: Steinar Haug: "Re: 8lgm's SCO "at" hole"