On Wed, Jul 16, 2003 at 12:19:46PM +0100, Andy Wardley wrote:
>
> #include <stdio.h>
> #include <stdlib.h>
> #include <unistd.h>
> #include <errno.h>
>
> /* change these values */
> #define OWNER_UID 253
> #define OWNER_GID 253
> #define SCRIPT "/home/abw/web/bandq/bin/build"
> int main(int argc, char *argv[])
> {
> int res;
>
> if (res = setresgid(OWNER_GID, OWNER_GID, OWNER_GID)) {
> fprintf(stderr, "setresgid(%d) - %s\n", OWNER_GID, strerror(errno));
> exit(3);
> }
>
> if (res = setresuid(OWNER_UID, OWNER_UID, OWNER_UID)) {
> fprintf(stderr, "setresuid(%d) - %s\n", OWNER_UID, strerror(errno));
> exit(4);
> }
> execv(SCRIPT, argv);
That passes the environment unaltered to SCRIPT. In combination with
the fact that you're setting the real uid/gid as well as effective,
that could lead to arbitrary command execution via PATH or LD_PRELOAD
or PERL5LIB or some such.
> fprintf(stderr, "execl error: %s\n", strerror(errno));
> exit(5);
> }
--
Nick
