volf@ebg.eb.ele.tue.nl (frank volf) (09/28/90)
I have a question.
Is was just hacking around on our Apollo's SR10.2 / BSD4.3 and
I noticed something strange (i.e I think it is strange). I show
you the problem using a sample session.
First of all, I'm logged in on the Display Manager under my own
account 'volf'.
Then I go to someone elses account 'maxad' (don't worry maxad is
just another me) and go to some directory called junk for which I don't
have any write access!
ebg{volf}[//ebg/users/volf] 17 > cd ~maxad/junk
ebg{volf}[//ebk/users/maxad/junk] 18 > ll
total 3
1 drwxr-xr-x 1 maxad 1024 Sep 28 09:11 .
1 drwxrwxr-x 1 maxad 1024 Sep 28 09:11 ..
1 -rw-r--r-- 1 volf 24 Sep 28 09:11 test
The file test in this directory is owned by me and therefore I can
edit it. I do this using the DM editor. After I finished editing I ask for
a directory list.
ebg{volf}[//ebk/users/maxad/junk] 19 > ll
total 4
1 drwxr-xr-x 1 maxad 1024 Sep 28 09:13 .
1 drwxrwxr-x 1 maxad 1024 Sep 28 09:11 ..
1 -rw-r--r-- 1 volf 49 Sep 28 09:13 test
1 -rw-r--r-- 1 volf 24 Sep 28 09:11 test.bak
ebg{volf}[//ebk/users/maxad/junk] 20 >
The directory now contains two entries!! But I don't have any write access
to the directory.
Here are my questions. How is it possible for the DM to create an entry in a
directory for which I don't have write access? If creating a .bak file is no
problem, is it possible (in some nasty way) to create an arbitrary file in a
arbitrary directory. In that case we have a BIG security problem.
Thanx, Frank
Frank Volf (volf@eb.ele.tue.nl)
Eindhoven University of Technology
Digital Systems Group, Room EH10.08
P.O. 513, 5600 MB Eindhoven, The Netherlands