henry@utzoo.UUCP (Henry Spencer) (02/11/84)
I apologize to the folks reading these newsgroups who have already
seen this one in net.bugs.4bsd, but there are almost certainly some
sites which don't get the net.* groups but do get one of these.
And this bug is so horrifying that it needs to be shouted from the
housetops. Anyone running 4.2bsd, FIX IT FAST!
-----
From watmath!arwhite Fri Feb 10 15:47:16 1984
Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.1 6/24/83; site watmath.UUCP
Path: utzoo!watmath!arwhite
From: arwhite@watmath.UUCP (Alex White)
Newsgroups: net.bugs.4bsd
Subject: Urgent fix to open for 4.2bsd
Message-ID: <6820@watmath.UUCP>
Date: Wed, 8-Feb-84 14:43:29 EST
Article-I.D.: watmath.6820
Posted: Wed Feb 8 14:43:29 1984
Date-Received: Fri, 10-Feb-84 02:01:22 EST
Organization: U of Waterloo, Ontario
Lines: 33
Subject: FTRUNC bypasses permissions!
Index: /sys/ufs_syscalls.c 4.2BSD
Description:
copen doesn't check permissions if FTRUNC is specified but FWRITE
isn't. This means you can truncate files you don't have perms on,
and truncate to zero length DIRECTORIES!!!!
Repeat-By:
#include <sys/file.h>
main()
{
open("xyz", O_TRUNC|O_RDONLY); /* xyz with no write perms */
open(".", O_TRUNC|O_RDONLY); /* Directory is truncated! */
}
Fix:
in copen, change
if((mode&FCREAT) == 0) {
if (mode&FREAD)
...
if (mode&FWRITE) {
...
}
}
change the
if (mode&FWRITE) {
to
if (mode&(FWRITE|FTRUNC)) {
this will mean the check for write perms will be done for truncate,
and also the check for being a directory.
*If anybody takes advantage of this on any system on campus before I get
*around to changing them all and after I post this note you will find your
*account gone very quickly!
-----
--
Henry Spencer @ U of Toronto Zoology
{allegra,ihnp4,linus,decvax}!utzoo!henry