[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [MiNT] Here documents and CRLF
Hi Thomas!
On Thu, Jun 17, 1999 at 12:15:11PM +0200, Thomas Binder wrote:
> Hi!
>
> On Wed, Jun 16, 1999 at 02:27:43AM +0200, Guido Flohr wrote:
> > I think the only part of UNIXMODE that gets evaluated by the MiNTLib is
> > the "b" resp. the missing "b".
>
> The "rX" part should also be evaluated in crtinit.c somewhere, to set
> the current directory to the root dir of drive X.
You are just testing me, right? Where is the candid camera?
But even if I don't cd to "/X", no, I think the "rX" part is not
evaluated at all. This is in conflict with the Unixmode docs but I would
still prefer to leave it as it is. Both MiNT and MagiC do that within the
kernel and re-emulating that in the lib would be error-prone and it would
also mean some considerable overhead.
> > BTW (just curiosity), could you tell me what that security problem with
> > Linux was?
>
> The contents of the NLS_PATH variable was copied into a fixed length
> buffer without respecting this limit, i.e. you could cause a buffer
> overflow (overwriting stack contents) by setting NLS_PATH to something
> large. By carefully designing the bytes that got onto the stack, you
> could cause arbitrary code to get executed, i.e. exec("/bin/sh"). As
> this also affected all suid-binaries, it was dead easy to get root
> access.
Thanks for the explanation. Feels somewhat better now that I understand
my own code. ;-)
Maybe I will then remove the UNIXMODE restriction again. It is parsed
byte by byte and never copied. I don't see a reason for such precaution
there.
OK, if anyone needs root access on a MiNT machine and the supervisor is
too nasty to grant it, proceed as follows: Run a setuid program, fill its
bss with the assembler code for "exec /bin/sh" and find a way to make its
stack overflow. ;-)
We should really fix that stack problem.
Ciao
Guido
--
http://stud.uni-sb.de/~gufl0000
mailto:gufl0000@stud.uni-sb.de