arwhite@watmath.UUCP (Alex White) (02/08/84)
Subject: FTRUNC bypasses permissions!
Index: /sys/ufs_syscalls.c 4.2BSD
Description:
copen doesn't check permissions if FTRUNC is specified but FWRITE
isn't. This means you can truncate files you don't have perms on,
and truncate to zero length DIRECTORIES!!!!
Repeat-By:
#include <sys/file.h>
main()
{
open("xyz", O_TRUNC|O_RDONLY); /* xyz with no write perms */
open(".", O_TRUNC|O_RDONLY); /* Directory is truncated! */
}
Fix:
in copen, change
if((mode&FCREAT) == 0) {
if (mode&FREAD)
...
if (mode&FWRITE) {
...
}
}
change the
if (mode&FWRITE) {
to
if (mode&(FWRITE|FTRUNC)) {
this will mean the check for write perms will be done for truncate,
and also the check for being a directory.
*If anybody takes advantage of this on any system on campus before I get
*around to changing them all and after I post this note you will find your
*account gone very quickly!