|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: possible rcp hole...
From: Luciano Miguel Ferreira Rocha (strange
NSK.YI.ORG)Date: Wed Nov 22 2000 - 08:32:18 CST
- Next message: Ryan Sweat: "Re: more locale problems?"
- Previous message: Erik Tayler: "Re: more locale problems?"
- In reply to: Andrew Griffiths: "possible rcp hole..."
- Next in thread: H D Moore: "Re: possible rcp hole..."
- Reply: Luciano Miguel Ferreira Rocha: "Re: possible rcp hole..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello!
On Wed, Nov 22, 2000 at 09:11:20AM +1100, Andrew Griffiths wrote:
> It is negated because system() calls /bin/cp which with the newer
> versions of bash, it drops it's effective credientals...
On my system, redhat 7.0, the rcp program doesn't call the system function but a susytem function, that does a setuid(getuid()), so all extra privilledges are lost.
$ rpm -qf /usr/bin/rcp
rsh-0.17-2.2
rcp.c, 396-404:
(void)setuid(userid);
args[0] = "sh";
args[1] = "-c";
args[2] = s;
args[3] = NULL;
/* Defeat C type system to permit passing char ** to execve */
argsfoo = args;
memcpy(&argsbar, &argsfoo, sizeof(argsfoo));
execve(_PATH_BSHELL, argsbar, saved_environ);
hugs
Luciano Rocha
- Next message: Ryan Sweat: "Re: more locale problems?"
- Previous message: Erik Tayler: "Re: more locale problems?"
- In reply to: Andrew Griffiths: "possible rcp hole..."
- Next in thread: H D Moore: "Re: possible rcp hole..."
- Reply: Luciano Miguel Ferreira Rocha: "Re: possible rcp hole..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]