gwyn%brl-vld@sri-unix.UUCP (07/01/83)
From: Doug Gwyn (VLD/VMB) <gwyn@brl-vld>
People here showed me a couple of things that should be checked carefully
in every piece of security-related system utility code:
(1) A program can be exec'ed with argc==0 ; make sure this doesn't cause
any problems.
(2) A program can be exec'ed with some of fd's 0, 1, and 2 closed; this
may cause unexpected problems. For example:
/*
passwd -- password changing utility [EXAMPLE]
*/
#include <stdio.h>
main()
{
FILE *pw_out = fopen( "/etc/passwd.new", "w" );
FILE *pw_in = fopen( "/etc/passwd", "r" );
printf( "New password: " );
... /* get password from stdin */
... /* having checked it, copy pw_in to pw_out changing user's data */
rename( "/etc/passwd.new", "/etc/passwd" );
exit( 0 );
}
Now, consider what happens if this program is run with fd 1
closed. pw_out would be opened with fd 1, and the printf()
would clobber root's data in the newly-constructed password file.
Of course, there are fixes in this particular case (and it may
not even work like that in practice) but the point should be clear.