Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!linus!philabs!seismo!hao!hplabs!sri-unix!gwyn@brl-vld From: gwyn%brl-vld@sri-unix.UUCP Newsgroups: net.unix-wizards Subject: Security loopholes Message-ID: <2705@sri-arpa.UUCP> Date: Fri, 1-Jul-83 03:11:32 EDT Article-I.D.: sri-arpa.2705 Posted: Fri Jul 1 03:11:32 1983 Date-Received: Thu, 7-Jul-83 11:24:25 EDT Lines: 33 From: Doug Gwyn (VLD/VMB)People here showed me a couple of things that should be checked carefully in every piece of security-related system utility code: (1) A program can be exec'ed with argc==0 ; make sure this doesn't cause any problems. (2) A program can be exec'ed with some of fd's 0, 1, and 2 closed; this may cause unexpected problems. For example: /* passwd -- password changing utility [EXAMPLE] */ #include main() { FILE *pw_out = fopen( "/etc/passwd.new", "w" ); FILE *pw_in = fopen( "/etc/passwd", "r" ); printf( "New password: " ); ... /* get password from stdin */ ... /* having checked it, copy pw_in to pw_out changing user's data */ rename( "/etc/passwd.new", "/etc/passwd" ); exit( 0 ); } Now, consider what happens if this program is run with fd 1 closed. pw_out would be opened with fd 1, and the printf() would clobber root's data in the newly-constructed password file. Of course, there are fixes in this particular case (and it may not even work like that in practice) but the point should be clear.