Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10 beta 3/9/83; site utecfa.UUCP Path: utzoo!utcsrgv!utai!uthub!utecfa!larry From: larry@utecfa.UUCP (Larry Philps) Newsgroups: net.bugs.4bsd Subject: Re: SECURITY HOLE in tftpd Message-ID: <159@utecfa.UUCP> Date: Thu, 27-Sep-84 17:50:21 EDT Article-I.D.: utecfa.159 Posted: Thu Sep 27 17:50:21 1984 Date-Received: Thu, 27-Sep-84 20:41:46 EDT References: <442@unmvax.UUCP> Distribution: net Organization: Engineering Computing Facility, University of Toronto Lines: 45Sorry, the "better" fix shown below will not work. >From: lee@unmvax.UUCP >Subject: SECURITY HOLE in tftpd > ... >+ /* Check path first */ >+ ptr = file; >+ ptr++; >+ while (*ptr) { >+ if (*ptr++ != '/') >+ continue; >+ ptr--; >+ *ptr = NULL; >+ sret = stat(file, &stbuf); /*********/ >+ *ptr++ = '/'; >+ if (sret < 0) >+ return (errno == ENOENT ? ENOTFOUND : EACCESS); >+ if (!((stbuf.st_mode&S_IFMT)&S_IFDIR)) >+ break; >+ if ((stbuf.st_mode&(S_IEXEC >> 6)) == 0) >+ return (EACCESS); >+ } Bill Shannon stated that it was hard to do this because of symbolic links, and he was right. The stat done in the middle of the loop (marked above by /******/) executed run as root, and thus if a symbolic link is encountered, all directories/files in the link will be searched as root. For example, # chmod 700 /sys # su guest % cd % ln -s sneaky /sys/sys/ufs_syscalls.c % tftp localhost % get sneaky Will get the file since the stat will only check ./sneaky, and /sys/sys/ufs_syscalls.c. The intervening directories, /sys and /sys/sys, will not be checked. -- Larry Philps Engineering Computing Facility University of Toronto {linus,ihnp4,uw-beaver,floyd,decvax,utzoo}!utcsrgv!utecfa!larry