[rt-devel] possible security bug
Paul Lussier
pll at mclinux.com
Thu Jan 17 15:39:20 EST 2002
Hi,
While looking at the rt2 source, I noticed that in tools/initdb the
sub:
sub prompt_for_dba_password {
print "Enter the $DB_TYPE password for $DB_DBA: ";
system "stty -echo";
$DB_DBA_PASSWORD = scalar(<STDIN>); #keep off commandline
system "stty echo";
chomp $DB_DBA_PASSWORD;
}
calls 'stty' via system() without specifying a path, or making any
checks of %ENV whatsoever.
This is not good. Despite the fact that the person who is installing
rt2 *probably* has root privileges, they may not, and may be invoking
'initdb' via something like 'sudo', in which case it's trivial for
them to then *get* root access by placing something called 'stty' in
the search path that shows up before the really stty.
I recommend setting an explicit path for 'stty' at the very least, at
best de-taint only required %ENV variables and unset %ENV.
--
Seeya,
Paul
----
God Bless America!
If you're not having fun, you're not doing it right!
...we don't need to be perfect to be the best around,
and we never stop trying to be better.
Tom Clancy, The Bear and The Dragon
More information about the Rt-devel
mailing list