[prev in list] [next in list] [prev in thread] [next in thread]
List: debian-devel
Subject: Re: setuid/setgid binaries contained in the Debian repository.
From: Emile van Bergen <emile-deb () evbergen ! xs4all ! nl>
Date: 2003-08-11 18:08:53
[Download RAW message or body]
Hi,
On Mon, Aug 11, 2003 at 06:53:19PM +0200, Bernd Eckenfels wrote:
> On Mon, Aug 11, 2003 at 06:13:10PM +0200, Emile van Bergen wrote:
> > To make the wrapper unwritable both by the user and the per-game
> > uid/gid, make it setuid root
>
> i guess this is called sudo?
Yes, a custom version of that, but indeed, perhaps sudo could be
persuaded to do the same.
> > /* securely obtain /usr/lib/games/`basename $0` */
> >
> > if (!argv[0]) return 2;
> > me = strrchr(argv[0], '/');
> > if (me) me++; else me = argv[0];
> > melen = strlen(me);
> > if (melen < 1 || melen > sizeof(realgame) - 16) return 3;
>
> you need to check for ..
Why? '../file' still contains the '/' separator and thus gives 'file' as
'me'.
Cheers,
Emile.
--
E-Advies - Emile van Bergen emile@e-advies.nl
tel. +31 (0)70 3906153 http://www.e-advies.nl
--
To UNSUBSCRIBE, email to debian-devel-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic