From owner-freebsd-security  Mon Aug  4 14:06:45 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id OAA27774
          for security-outgoing; Mon, 4 Aug 1997 14:06:45 -0700 (PDT)
Received: from onyx.atipa.com (user11604@ns.atipa.com [208.128.22.10])
          by hub.freebsd.org (8.8.5/8.8.5) with SMTP id OAA27760
          for <security@FreeBSD.ORG>; Mon, 4 Aug 1997 14:06:41 -0700 (PDT)
Received: (qmail-queue invoked by uid 1018); 4 Aug 1997 21:01:31 -0000
Date: Mon, 4 Aug 1997 15:01:31 -0600 (MDT)
From: Atipa <freebsd@atipa.com>
X-Sender: freebsd@dot.ishiboo.com
To: Marc Slemko <marcs@znep.com>
cc: "Jonathan A. Zdziarski" <jonz@netrail.net>, ports@FreeBSD.ORG,
        security@FreeBSD.ORG
Subject: Re: SetUID
In-Reply-To: <Pine.BSF.3.95.970804142646.27439Q-100000@alive.znep.com>
Message-ID: <Pine.BSF.3.91.970804145336.11294A-100000@dot.ishiboo.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



On Mon, 4 Aug 1997, Marc Slemko wrote:

> You could.  If you did, however, you would be silly.  
> 
> The wrapper you give allows anyone who can run it to do anything they want
> as the uid it is setuid to.

If you allow the shell script to be modified, yes. Otherwise, I can not 
see how they could use the wrapper to execute anything but the script 
hard coded therein. Am I being naive?

Set the permissions to 750, chown root.<special group>
And make sure the shell script is non world or group writable.

What's the vulnerablility?

Kevin

> > > -- cut here (wrapper.c) --
> > 
> > #include <stdlib.h>
> > main()
> > {
> >         execl("/etc/rc.WHATEVER","WHATEVER",NULL);
> > }
> > 
> > -- end--