Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.1 6/24/83; site bu-cs.UUCP Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!think!harvard!bu-cs!root From: root@bu-cs.UUCP (Barry Shein) Newsgroups: net.bugs.uucp Subject: Re: Read permission on /etc/phones Message-ID: <446@bu-cs.UUCP> Date: Fri, 28-Jun-85 19:17:11 EDT Article-I.D.: bu-cs.446 Posted: Fri Jun 28 19:17:11 1985 Date-Received: Sun, 30-Jun-85 00:20:22 EDT References: <472@qantel.UUCP>, <170@motel6.UUCP> Organization: Boston Univ Comp. Sci. Lines: 34 >From: keith@motel6.UUCP (Keith Packard) >Subject: Re: Read permission on /etc/phones >The problem with tip is that, after locking the modem port, it >setuid's back to the original invoker's uid/gid. This is >supposed to patch the security hole surrounding shell escapes >and file transfers. Fine but; alas; it doesn't read /etc/phones >until it has forked and setuid'ed so, unless the file is >444 or better, it can't read it. I can't think of a simple solution >to this, it has to read the phones file first and save the information >until it needs it. > >Keith Packard Good news! You only have to *open* the file while priv'd, the open file descriptor is not further checked (at least not in 4.2bsd tho I doubt it is different in any O/S, let alone UNIX...anybody?) If you want to fix this all you would have to do is open /etc/phones while priv'd, save the file descriptor/pointer into an extern (probably) and comment out the open you find later. Of course this assumes it only reads the phones file once but a rewind() and getting rid of the close should get around multiple reading also as long as file descriptors aren't precious commodities. Is this good news? I assume so, I think the only line of defense need be at the open, not the r/w tho sounds like a general place to scout around for security holes?! Like, what if I find a program that uses something like a -f arg and later goes interactive and I have the /dev/fd? driver...I dunno... -Barry Shein, Boston University Free associating in public, as usual