Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site bu-cs.UUCP
Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!think!harvard!bu-cs!root
From: root@bu-cs.UUCP (Barry Shein)
Newsgroups: net.bugs.uucp
Subject: Re: Read permission on /etc/phones
Message-ID: <446@bu-cs.UUCP>
Date: Fri, 28-Jun-85 19:17:11 EDT
Article-I.D.: bu-cs.446
Posted: Fri Jun 28 19:17:11 1985
Date-Received: Sun, 30-Jun-85 00:20:22 EDT
References: <472@qantel.UUCP>, <170@motel6.UUCP>
Organization: Boston Univ Comp. Sci.
Lines: 34

>From: keith@motel6.UUCP (Keith Packard)
>Subject: Re: Read permission on /etc/phones

>The problem with tip is that, after locking the modem port, it
>setuid's back to the original invoker's uid/gid.  This is
>supposed to patch the security hole surrounding shell escapes
>and file transfers.  Fine but; alas; it doesn't read /etc/phones
>until it has forked and setuid'ed so, unless the file is
>444 or better, it can't read it.  I can't think of a simple solution
>to this, it has to read the phones file first and save the information
>until it needs it.
>
>Keith Packard

Good news! You only have to *open* the file while priv'd,
the open file descriptor is not further checked (at least
not in 4.2bsd tho I doubt it is different in any O/S,
let alone UNIX...anybody?)

If you want to fix this all you would have to do is open /etc/phones
while priv'd, save the file descriptor/pointer into an extern
(probably) and comment out the open you find later. Of course
this assumes it only reads the phones file once but a rewind()
and getting rid of the close should get around multiple reading
also as long as file descriptors aren't precious commodities.

Is this good news? I assume so, I think the only line of defense
need be at the open, not the r/w tho sounds like a general place to
scout around for security holes?! Like, what if I find a program
that uses something like a -f arg and later goes interactive
and I have the /dev/fd? driver...I dunno...

	-Barry Shein, Boston University
	Free associating in public, as usual