From owner-freebsd-security  Tue Jun 10 07:59:10 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id HAA09377
          for security-outgoing; Tue, 10 Jun 1997 07:59:10 -0700 (PDT)
Received: from FreeBSD.cs.nccu.edu.tw (FreeBSD.cs.nccu.edu.tw [140.119.163.156])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id HAA08998
          for <freebsd-security@freebsd.org>; Tue, 10 Jun 1997 07:54:24 -0700 (PDT)
Received: (from root@localhost)
	by FreeBSD.cs.nccu.edu.tw (8.8.5/8.8.5) id WAA02221
	for freebsd-security@freebsd.org; Tue, 10 Jun 1997 22:54:54 GMT
Date: Tue, 10 Jun 1997 22:54:54 GMT
From: Yuang Shuang-Long <edward@FreeBSD.cs.nccu.edu.tw>
Message-Id: <199706102254.WAA02221@FreeBSD.cs.nccu.edu.tw>
To: freebsd-security@freebsd.org
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

  Hi! folks:
	I have a trouble that some users use the following prog. to get
  root privilege, and the more they do some destructive thing. (eg. 
  delete some file /var/log/* :-( ) I need your help...


**********************************************************************



#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <pwd.h>

#if 0
          struct passwd {
              char *pw_name;    /* user's login name */
              char *pw_passwd;  /* no longer used */
              uid_t pw_uid;        /* user's uid */
              gid_t pw_gid;        /* user's gid */
              char *pw_age;     /* not used */
              char *pw_comment; /* not used */
              char *pw_gecos;   /* typically user's full name */
              char *pw_dir;     /* user's home dir */
              char *pw_shell;   /* user's login shell */
          };
#endif

void
main(int argc, char *argv[])
{
	struct passwd *pw;

	if(argc < 2) {
		fprintf(stderr, "too few argument\n");
		exit(-1);
	}
	if((pw = getpwnam(argv[1])) == NULL) {
		perror(argv[1]);
		exit(-1);
	}
	printf("uid:%d gid:%d home:%s shell:%s\n", pw->pw_uid, pw->pw_gid, 
		pw->pw_dir, pw->pw_shell);
	if(setgid(pw->pw_gid) == -1)
		perror("setgid");
	if(setuid(pw->pw_uid) == -1)
		perror("setuid");
	chdir(pw->pw_dir);
	system(pw->pw_shell);
}

*************************************************************************