[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [MiNT] Here documents and CRLF



Hi Thomas!

On Thu, Jun 17, 1999 at 12:15:11PM +0200, Thomas Binder wrote:
> Hi!
> 
> On Wed, Jun 16, 1999 at 02:27:43AM +0200, Guido Flohr wrote:
> > I think the only part of UNIXMODE that gets evaluated by the MiNTLib is
> > the "b" resp. the missing "b".
> 
> The "rX" part should also be evaluated in crtinit.c somewhere, to set
> the current directory to the root dir of drive X.

You are just testing me, right? Where is the candid camera?

But even if I don't cd to "/X", no, I think the "rX" part is not
evaluated at all.  This is in conflict with the Unixmode docs but I would
still prefer to leave it as it is.  Both MiNT and MagiC do that within the
kernel and re-emulating that in the lib would be error-prone and it would
also mean some considerable overhead.

> > BTW (just curiosity), could you tell me what that security problem with
> > Linux was?  
> 
> The contents of the NLS_PATH variable was copied into a fixed length
> buffer without respecting this limit, i.e. you could cause a buffer
> overflow (overwriting stack contents) by setting NLS_PATH to something
> large. By carefully designing the bytes that got onto the stack, you
> could cause arbitrary code to get executed, i.e. exec("/bin/sh"). As
> this also affected all suid-binaries, it was dead easy to get root
> access.

Thanks for the explanation.  Feels somewhat better now that I understand
my own code. ;-)

Maybe I will then remove the UNIXMODE restriction again.  It is parsed
byte by byte and never copied.  I don't see a reason for such precaution
there.

OK, if anyone needs root access on a MiNT machine and the supervisor is
too nasty to grant it, proceed as follows:  Run a setuid program, fill its
bss with the assembler code for "exec /bin/sh" and find a way to make its
stack overflow. ;-)

We should really fix that stack problem.

Ciao

Guido
-- 
http://stud.uni-sb.de/~gufl0000
mailto:gufl0000@stud.uni-sb.de