On Wed, 29 Dec 1999, Taneli Huuskonen wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > "Todd C. Miller" <Todd.Millerat_private> wrote: > > > For those using perl 5.x, you can use sysopen() instead of the "magic" > > perl open() to fix this. > > I'm afraid that wouldn't help much, as you can supply any pathname as > the -C (configuration file) argument: > > /path/to/majordomo/wrapper resend -l foobar -C /tmp/evilhack.pl > > I tested this with version 1.94.1, but the same behaviour seems to be > there in 1.94.4, as far as I can tell by the source. This patch should take care of that problem: --- majordomo.old Sat Oct 2 02:30:30 1999 +++ majordomo Thu Dec 30 04:34:25 1999 @@ -44,6 +44,25 @@ die("$cf not readable; stopped"); } +# Check if the cf file is owned by effective uid +if ((stat($cf))[4] != $>) { + die("$cf not owned by effective uid; stopped"); +} + +# Check if the cf file is owned by effective gid +$cfgid = (stat($cf))[5]; +$inlist = 0; +foreach (split(/ /, $))) { + if ($cfgid == $_) { + $inlist = 1; + last; + } +} +if (! $inlist) { + die("$cf not owned by effective gid; stopped"); +} + +# Now we can read and execute the cf file require "$cf"; # Go to the home directory specified by the .cf file Comments? -- Henrik Edlund http://www.edlund.org/ "They were in the wrong place at the wrong time. Naturally they became heroes." Leia Organa of Alderaan, Senator
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:24:34 PDT