Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!linus!philabs!seismo!hao!hplabs!sri-unix!gwyn@brl-vld
From: gwyn%brl-vld@sri-unix.UUCP
Newsgroups: net.unix-wizards
Subject: Security loopholes
Message-ID: <2705@sri-arpa.UUCP>
Date: Fri, 1-Jul-83 03:11:32 EDT
Article-I.D.: sri-arpa.2705
Posted: Fri Jul  1 03:11:32 1983
Date-Received: Thu, 7-Jul-83 11:24:25 EDT
Lines: 33

From:      Doug Gwyn (VLD/VMB) 

People here showed me a couple of things that should be checked carefully
in every piece of security-related system utility code:

(1)  A program can be exec'ed with argc==0 ; make sure this doesn't cause
	any problems.

(2)  A program can be exec'ed with some of fd's 0, 1, and 2 closed; this
	may cause unexpected problems.  For example:

	/*
		passwd -- password changing utility [EXAMPLE]
	*/
	#include	
	main()
	{
	FILE	*pw_out = fopen( "/etc/passwd.new", "w" );
	FILE	*pw_in = fopen( "/etc/passwd", "r" );

	printf( "New password: " );
	... /* get password from stdin */
	... /* having checked it, copy pw_in to pw_out changing user's data */
	rename( "/etc/passwd.new", "/etc/passwd" );
	exit( 0 );
	}

	Now, consider what happens if this program is run with fd 1
	closed.  pw_out would be opened with fd 1, and the printf()
	would clobber root's data in the newly-constructed password file.

	Of course, there are fixes in this particular case (and it may
	not even work like that in practice) but the point should be clear.