sean@ukma.UUCP (Sean Casey) (06/23/85)
There is a major security bug in the batch system posted by Len Lalonde
in <14907@watmath.UUCP>. Batch.c runs setuid root, but does not check any
files given to it as arguments for access permissions. Thus it becomes
possible to read any file on the system by specifying it as the shell file
argument to batch.
The patch to fix this bug follows:
*** batch.c.orig Tue Jun 18 12:29:18 1985
--- batch.c Tue Jun 18 21:33:25 1985
***************
*** 156,161
if(argv[i][0] == '-')
continue;
if((input = fopen(argv[i], "r")) == NULL) {
perror(argv[i]);
cleanup();
--- 164,171 -----
if(argv[i][0] == '-')
continue;
+ if(access(argv[i],R_OK) != 0)
+ setuid(getuid());
if((input = fopen(argv[i], "r")) == NULL) {
perror(argv[i]);
cleanup();shprentz@bdmrrr.UUCP (Joel Shprentz) (06/27/85)
The constant R_OK used by access() in the bug fix is not
defined in batch.c. Add the line
#include <sys/file.h>
to get its definition.
--
Joel Shprentz (703) 827-7953
BDM Corporation {seismo,rlgvax}!bdmrrr!shprentz
7915 Jones Branch Drive
McLean, Virginia 22102