[rt-devel] possible security bug

Paul Lussier pll at mclinux.com
Thu Jan 17 15:39:20 EST 2002


While looking at the rt2 source, I noticed that in tools/initdb the 

	sub prompt_for_dba_password {
	    print "Enter the $DB_TYPE password for $DB_DBA: ";
	    system "stty -echo";
	    $DB_DBA_PASSWORD = scalar(<STDIN>); #keep off commandline
	    system "stty echo";
	    chomp $DB_DBA_PASSWORD;

calls 'stty' via system() without specifying a path, or making any 
checks of %ENV whatsoever.  

This is not good.  Despite the fact that the person who is installing 
rt2 *probably* has root privileges, they may not, and may be invoking 
'initdb' via something like 'sudo', in which case it's trivial for 
them to then *get* root access by placing something called 'stty' in 
the search path that shows up before the really stty.

I recommend setting an explicit path for 'stty' at the very least, at 
best de-taint only required %ENV variables and unset %ENV.


			  God Bless America!

	 If you're not having fun, you're not doing it right!

	...we don't need to be perfect to be the best around,
		and we never stop trying to be better. 
		       Tom Clancy, The Bear and The Dragon

More information about the Rt-devel mailing list