karsh@geowhiz.UUCP (Bruce Karsh) (04/21/85)
If you call the system(3) service from a program that is
setuid'ed to root, the argument of the call runs with root
privleges. I wrote a protected version of system(3) that
I think is secure, and does what you would expect. Is this
really secure, does it really do what one would expect, and
is this really the best way to do it? I'd appreciate any
comments.
For the record, we are running System III on a Masscomp.
It would be nice if this routine didn't care which flavor
of UN*X it ran on.
safesystem(string)
char *string;
{
int status,pid;
pid=fork();
if(pid == 0)
{
setuid(getuid());
system(string);
}
else
{
while (wait(&status) != pid) ;
}
}
--
Bruce Karsh |
U. Wisc. Dept. Geology and Geophysics |
1215 W Dayton, Madison, WI 53706 | This space for rent.
(608) 262-1697 |
{ihnp4,seismo}!uwvax!geowhiz!karsh |dave@lsuc.UUCP (David Sherman) (04/26/85)
In article <178@geowhiz.UUCP> karsh@geowhiz.UUCP (Bruce Karsh) writes: ||safesystem(string) ||char *string; ||{ ||int status,pid; ||pid=fork(); ||if(pid == 0) || { || setuid(getuid()); || system(string); || } ||else || { || while (wait(&status) != pid) ; || } ||} Looks OK to me, although while you're at it you should check the SHELL environment variable, so someone who gets put into an application when they sign on can't escape therefrom to the shell. Also, if the fork() call fails and returns -1, the wait will always return -1, and you'll loop forever. Not that most UNIX programs are a heck of a lot more graceful in handling fork failures, but at least they recognize it. For that matter, the extra fork is unnecessary overhead. Copy the system code (or invent it if you don't have source - it's pretty simple), implement it in safesystem, and save a fork. Dave Sherman The Law Society of Upper Canada -- { ihnp4!utzoo pesnta utcs hcr decvax!utcsri } !lsuc!dave