ron@brl-sem.UUCP (02/13/87)
In article <175@quacky.mips.UUCP>, dce@mips.UUCP (David Elliott) writes: > I have found a gaping security hole in the 4.3BSD version of tip. > > The hole has to do with the fact that tip runs setuid uucp and allows > shell escapes. Note that this security hole is not closed by adding > > setuid(getuid()); > setgid(getgid()); > > before the call to exec(), since these calls do not take effect unless > the person executing the call is root. And why not? It works fine for me. You have always been able to SETUID back to the real UID in UNIX, regardless the effective UID. What varies from system to system is whether you can change the real uid at all or if you can go back to a previous effective UID after you have set it to the real. TIP needs to run UUCP to handle the "only one person using a dial out at a time" problem. -Ron