arwhite@watmath.UUCP (Alex White) (02/08/84)
Subject: FTRUNC bypasses permissions! Index: /sys/ufs_syscalls.c 4.2BSD Description: copen doesn't check permissions if FTRUNC is specified but FWRITE isn't. This means you can truncate files you don't have perms on, and truncate to zero length DIRECTORIES!!!! Repeat-By: #include <sys/file.h> main() { open("xyz", O_TRUNC|O_RDONLY); /* xyz with no write perms */ open(".", O_TRUNC|O_RDONLY); /* Directory is truncated! */ } Fix: in copen, change if((mode&FCREAT) == 0) { if (mode&FREAD) ... if (mode&FWRITE) { ... } } change the if (mode&FWRITE) { to if (mode&(FWRITE|FTRUNC)) { this will mean the check for write perms will be done for truncate, and also the check for being a directory. *If anybody takes advantage of this on any system on campus before I get *around to changing them all and after I post this note you will find your *account gone very quickly!