Thanks for the info.
Anyway I think demogrx is only a demo, but is good to know about this problem.
Thanks again, and feel free to post about your project to the grx mailing list.
M.Alvarez
fabio wrote:
Hi, i've been interested in using grx libraries to make a media station (something like the FreeVo Project, http://freevo.sourceforge.net/). I've find a security issue in the demogrx test binary. If i want to use the svga driver, the readme say that i must setuid the test programs to make them work. In demogrx.c there is an invocation of system():
(line 402): for (i = 0; i < NDEMOS; i++) { if (ev->p1 == ptable[i].cid) { gfaz_fin(); #if defined(__MSDOS__) || defined(__WIN32__) if (ev->p1 == ID_MODETEST) strcpy(nprog, "..\bin\"); else strcpy(nprog, ".\"); #else if (ev->p1 == ID_MODETEST) strcpy(nprog, "../bin/"); else strcpy(nprog, "./"); #endif #if defined(__XWIN__) strcat(nprog, "x"); #endif strcat(nprog, ptable[i].prog); system(nprog); :(line 420)
This is extracted from the system(3) man page:
Do not use system() from a program with suid or sgid privileges, because strange values for some environment variables might be used to subvert system integrity. Use the exec(3) family of functions instead, but not execlp(3) or execvp(3). system() will not, in fact, work prop- erly from programs with suid or sgid privileges on systems on which /bin/sh is bash version 2, since bash 2 drops privileges on startup. (Debian uses a modified bash which does not do this when invoked as sh.)
In poor words, a user can (for example) make a ln -s /bin/sh rgbtest , then execute the demogrx program, click on "Rgbtest" and he will gain a root shell. I've tried it on Knoppix 3.1, Slackware 9.0, and it works. The solution is to use the exec(3) family of functions.
Good work for the library, i've find it very useful to write quickly graphical applications. I will notice you when my media station will be ready, if you like :-)
Fabio Bas