The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: 'Phage List' - Archives (1988 - 1989)
DOCUMENT: phage #144 [Re: Another Feature of the Worm] (1 message, 703 bytes)
SOURCE: http://securitydigest.org/exec/display?f=phage/archive/144.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT

From: Chris Torek <chris@mimsy.umd.edu>
To: phage
Date: Mon 23:46:32 07/11/1988 EST
Subject: Re: Another Feature of the Worm
References: [Thread Prev: 141] [Thread Next: 145] [Message Prev: 143] [Message Next: 146]

	From: Peter Honeyman <honey@citi.umich.edu>

	the bug involved requesting pgrp 1<<16 -- the kernel checked
	to make sure pgrp != 0, then assigned it to a short. ...

	has it been fixed?

No:

    case TIOCSPGRP: {
	struct proc *p;
	int pgrp = *(int *)data;

	if (u.u_uid && (flag & FREAD) == 0)
		return (EPERM);
	p = pfind(pgrp);
	if (p && p->p_pgrp == pgrp &&
	    p->p_uid != u.u_uid && u.u_uid && !inferior(p))
		return (EPERM);
	tp->t_pgrp = pgrp;
	break;
    }

[grep t_pgrp /sys/h/tty.h]

	short	t_pgrp;			/* tty */

I am not sure that this can be used to TIOCSTI someone else's terminal
anymore; but to be safe, this should read

	int pgrp = *(short *)data;

Ah well.  If I had known that POSIX was going to change the way pgroups
work, I would have put in my own suggestion....

Chris

END OF DOCUMENT