Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!watmath!clyde!cbatt!cbosgd!mirror!sources-request
From: sources-request@mirror.UUCP
Newsgroups: mod.sources
Subject: v07i090:  Find security holes in shell-escapes
Message-ID: <775@mirror.TMC.COM>
Date: Wed, 10-Dec-86 13:46:16 EST
Article-I.D.: mirror.775
Posted: Wed Dec 10 13:46:16 1986
Date-Received: Sun, 14-Dec-86 06:37:28 EST
Sender: rs@mirror.TMC.COM
Lines: 210
Approved: mirror!rs

Submitted by: ihnp4!utzoo!hcr!hcrvx1!hugh
Mod.sources: Volume 7, Issue 90
Archive-name: forktest

I would like to submit the following program to mod.sources.  I hope
that the comments are sufficient explanation.  I don't see that a
manual is worthwhile.

I have run this program under System V and Version 7.  I have not
tested it under BSD, but I know of no impediment.

With this program, I have found bugs in a number of UNIX System V
utilities.  I am sure that BSD programs would be just as buggy, but
I haven't tested them.  Here are some examples:

Programs that leave extra file descriptors open:
     sdb ! command
     mailx ~! command during message composition, and ! command (two extra)
     mail ! command
     rn ! or | command (5 extra!)
     cu ~! command (one extra: number 5)

Programs that leave signals ignored:
     mailx ~! command (SIGINT!)
     rn ! and | commands (SIGEMT!?)

I think that this list shows that it is easy to get fork(2) wrong.
I hope programmers will use ForkTest to catch this type of bug
early.  Exercise for the reader: what can you scribble on with those
extra file descriptors?

Hugh Redelmeier (416) 922-1937
utzoo!hcr!hugh

[  I wrote the Makefile and README.  --r$  ]
----------CUT HERE----------

#! /bin/sh
# This is a shell archive.  Remove anything before this line,
# then unpack it by saving it in a file and typing "sh file".
# If all goes well, you will see the message "End of shell archive."
# Contents:  Makefile README forktest.c
# Wrapped by rs@mirror on Wed Dec 10 13:44:46 1986
PATH=/bin:/usr/bin:/usr/ucb; export PATH
echo shar: extracting "'Makefile'" '(52 characters)'
if test -f 'Makefile' ; then 
  echo shar: will not over-write existing file "'Makefile'"
else
sed 's/^X//' >Makefile <<'@//E*O*F Makefile//'
X
Xforktest:	forktest.c
X	$(CC) $(CFLAGS) -o forktest
X
@//E*O*F Makefile//
if test 52 -ne "`wc -c <'Makefile'`"; then
    echo shar: error transmitting "'Makefile'" '(should have been 52 characters)'
fi
fi # end of overwriting check
echo shar: extracting "'README'" '(253 characters)'
if test -f 'README' ; then 
  echo shar: will not over-write existing file "'README'"
else
sed 's/^X//' >README <<'@//E*O*F README//'
X
X[  This program is designed to be called by programs that allow
X   shell escapes.  It prints out the argc,argv parameters, and
X   lists the disposition of signals, alarm calls, etc.  The fun
X   part is when it lists the open file descriptors...  -r$ ]
@//E*O*F README//
if test 253 -ne "`wc -c <'README'`"; then
    echo shar: error transmitting "'README'" '(should have been 253 characters)'
fi
fi # end of overwriting check
echo shar: extracting "'forktest.c'" '(3059 characters)'
if test -f 'forktest.c' ; then 
  echo shar: will not over-write existing file "'forktest.c'"
else
sed 's/^X//' >forktest.c <<'@//E*O*F forktest.c//'
X/* Fork Test: display args, open files, signals, etc.
X *
X * Simple as this program is, it has found bugs in the
X * way a number of programs fork off children.  To test
X * how a program is invoking its children, run this
X * program as a child.
X *
X * Generally, processes should be created with:
X *
X * - a reasonable arg count & list
X * - arg 0 should look like the name of the command
X *
X * - real and effective UIDs and GIDs should be reasonable.
X *   Beware setuid programs that fork children!
X *
X * - no pending alarm.  Version 7 apparently does not
X *   reset alarms upon an exec!
X *
X * - file descriptors 0 (STDIN), 1 (STDOUT), and 2 (STDERR)
X *   opened reasonably
X * - all other file descriptors closed (this program will
X *   describe all open channels)
X *
X * - all signals (except SIGKILL) set to SIG_DFL (this
X *   program will print all signals set otherwise)
X *
X * The output is fairly simple to understand.  When in
X * doubt, read the code (and a UNIX manual: exec(2),
X * getuid(2), alarm(2), signal(2), stat(2)).
X *
X * Room for Improvement:
X *
X * - strings should be printed in a way that shows funny characters.
X * - show misc. other bits of state
X *	- PID (who cares?)
X *	- umask
X *	- ulimit (System V)
X *	- stty settings of open TTYs
X *
X * Copyright (c) 1986 March 11  D. Hugh Redelmeier
X *
X * This program may be distributed and used without restriction.
X */
X
X#include 
X
Xextern unsigned alarm();	/* should be unsigned, but may be int */
X
X#include 
X#include 
X
Xstruct stat sb;
X
X#include 
Xextern int errno;
Xextern char *sys_errlist[];
X
X#include 
X
Xint (*signal())();
X
Xmain(argc, argv, envp)
Xint argc;
Xchar **argv, **envp;
X{
X	register int i;
X	unsigned al = alarm(0);	/* get it while it is hot */
X
X	printf("%d arg(s):", argc);
X	for (i=0; i>12);
X				break;
X			}
X		}
X
X	printf("Signals:\n");
X	for (i=1; i!=40; i++) {	/* I hope 40 is enough. */
X		register int n = (int) signal(i, SIG_IGN);
X		switch (n) {
X		case -1:
X		case SIG_DFL:
X			break;
X		case SIG_IGN:
X			printf("\t%d: SIG_IGN\n", i);
X			break;
X		default:
X			printf("\t%d: %d\n", i, n);
X			break;
X		}
X	}
X
X	printf("Environment:\n");
X	for (i=0; envp[i]!=NULL; i++)
X		printf("\t\"%s\"\n", envp[i]);
X
X	exit(0);
X}
@//E*O*F forktest.c//
if test 3059 -ne "`wc -c <'forktest.c'`"; then
    echo shar: error transmitting "'forktest.c'" '(should have been 3059 characters)'
fi
fi # end of overwriting check
echo shar: "End of shell archive."
exit 0