rsm%brl-bmd@sri-unix.UUCP (07/09/83)
From: Robert S. Miles <rsm@brl-bmd> If you change write to be set-uid root, you must add in two things: One is a setuid(geteuid()) before the exec for a shell escape. almost as important, but less obvious, is that you must scrutinize the optional ttyname arguement to prevent things like write user ../etc/passwd This would of course be disasterous... First -- If you do a setuid(geteuid()) before the shell escape you're probably going to be **very** sorry later. I hope "andrew" meant to say setuid(getuid())! There IS a big difference! I think it would be even better if the program did the setuid(getuid()) immediately after opening the terminal since the open() is all that it needs its privileges for anyway. Second -- All the write commands I've ever seen only let you write to a terminal name which exactly matches one of those currently in use, as specified in /etc/utmp, so there shouldn't be much of a problem unless you happen to leave /etc/utmp writable. But this is a valid concern. Last -- if you're going to go to all this trouble to keep terminals protected then also remember to close the file descriptor to the terminal before doing the shell escape in the child! For systems that have it, you might just want to set "close on exec" (FIOCLEX) after opening the terminal. That way you're sure that no unauthorized programs will get a chance to write any data onto that terminal. Wizards: How many programs do you have that forget to close down file descriptors before handing them off to the shell which then hands them off to some other program that may be happy to use them in ways which were not intended? Many programs which use shell escapes that I've encountered forget to close down private file descriptors before forking off children unrelated to their original purpose. Given the right circumstances oversites like this could cause "severe data integrity loss", a.k.a. security problems. -Bob Miles, rsm@BRL