> > [8lgm]-Advisory-10-EXPLOIT describes a hole where a setgid program runs > /bin/pwd with popen(3). > > In case you don't know, this is the way that SunOS, as well as SCO, > performs the getcwd() call. Other versions of UNIX may also implement > it this way, although Solaris' getwd() doesn't (sorry folks -- don't > have enough UNIX machines with trace commands!). > > trace/truss -f this C code to check: > > #include <stdio.h> > main () { char x[1024]; getcwd(x, 1024); printf ("%s", x); } > > If you see a fork or vfork, your getcwd runs /bin/pwd. > > If you have any setuid programs that call getcwd(), make sure they > sanitise their environment beforehand. Another thing to watch out > for... AFAIK, getcwd(3) always calls /bin/pwd; but getwd(2) is a system call. getcwd() is only provided for backwards compatibility; i suppose all new code should be using getwd(2). ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk |