[comp.sys.att] UNIXPC - 2 fixes if you want

brad@bradley.UUCP (02/03/88)

We all know that the unixpc as security holes.  Well I know 2 easy
ways of becoming root.  This is not acceptable here in a university
environment.  To fix I have 2 patches to fix this.  Let me know if
you want them (enough people send mail I will post the fix/programs).


Bradley Smith			UUCP: {cepu,ihnp4,noao,uiucdcs}!bradley!brad
Text Processing			ARPA: cepu!bradley!brad@seas.ucla.edu
Bradley University		PH: (309) 677-2337
Peoria, IL 61625

You never get a second chance to make a first impression.

brad@bradley.UUCP (02/07/88)

Well I will be posting them.   What I will post are couple of things.

1. a uuecoded copy of an install diskette.
2. source to some of the programs on the install diskette

The other bug in mail is fixable by a third diskette (which includes
elm on it), or by doing this:

A. move /bin/mail /bin/nmail
B. put the following program in as /bin/mail

have fun..... # 1 and #2 will posted sometime this weekend.
I will be in dallas all next week.  see you all there!


Bradley Smith			UUCP: {cepu,ihnp4,noao,uiucdcs}!bradley!brad
Text Processing			ARPA: cepu!bradley!brad@seas.ucla.edu
Bradley University		PH: (309) 677-2337
Peoria, IL 61625

You never get a second chance to make a first impression.
============cut here for new /bin/mail
/* /bin/mail */
#include	<signal.h>
#include	<stdio.h>
#include	<sys/types.h>
#include	<sys/stat.h>
#include	<utmp.h>
#include	<pwd.h>

main(argc, argv)
	char          **argv;
{
	extern char    *getenv();
	char           *cp;
	struct stat     st;
	extern char    *cuserid();
	char            mailfile[256];
	struct utmp    *utmp, *getutline(), ut;
	struct passwd  *pwd, *getpwnam();
	char            lname[9], *cwd, *getcwd();
	extern char    *ttyname();


	if (!strncmp(ttyname(1), "/dev/w", 6)) {
		strcpy(ut.ut_line, "w1");
		utmp = getutline(&ut);
		if (utmp == NULL) {
			fprintf(stderr, "No-one logged in to /dev/w1\r\n");
			exit(1);
		}
		strncpy(lname, utmp->ut_user, 8);
		lname[8] = 0;	/* just in case it is == 8 */
		pwd = getpwnam(lname);
		if (pwd == NULL) {
			fprintf(stderr, "%s logged in but not is /etc/passwd\r\n",
				lname);
			exit(2);
		}
		cwd = getcwd((char *) NULL, 512);
		if ((cwd == NULL) || (strcmp(cwd, "/etc") == 0))
			chdir(pwd->pw_dir);
		setuid(pwd->pw_uid);
		setgid(pwd->pw_gid);
		endpwent();	/* close files */
		endutent();
	}
	strcpy(mailfile, "/usr/mail/");
	if ((argc == 2) && !strcmp("-e", argv[1])) {	/* mail -e */
		strcat(mailfile, cuserid(NULL));
		if (stat(mailfile, &st) == 0) {
			if (st.st_size > 0L)
				exit(0);
		}
		exit(1);
	}
	if (isatty(0) == 0) {
		signal(SIGHUP, SIG_IGN);
		signal(SIGINT, SIG_IGN);
		signal(SIGQUIT, SIG_IGN);
	}
	execv("/bin/nmail", argv);
	perror(argv[0]);
}

gvogel@wsccs.UUCP (George Vogel) (02/11/88)

In article <9300053@bradley>, brad@bradley.UUCP writes:
> 
> We all know that the unixpc as security holes.  Well I know 2 easy
> ways of becoming root.  This is not acceptable here in a university
> environment.  To fix I have 2 patches to fix this.  Let me know if
> you want them (enough people send mail I will post the fix/programs).
> 
	We are currently using our 7300's to collect dust, but plan to
incorporate them into our english department (electronic mail, etc).

	Although I have yet to discover security problems, the fixes
would be very benificial.  Count me in.