From: jnc@mercury.lcs.mit.edu (Noel Chiappa)
Subject: [TUHS] The evolution of Unix facilities and architecture
Date: Fri, 12 May 2017 19:30:12 -0400 (EDT) [thread overview]
Message-ID: <20170512233012.7B9DB18C099@mercury.lcs.mit.edu> (raw)
> From: Clem Cole
> I said -- profil - I intended to say ptrace(2)
Is that the one where running an SUID program under the debugger allowed one
to patch the in-core image of said program?
If so, I have a story, and a puzzle, about that.
A couple of us, including Jim Gettys (later of X-windows fame) were on out way
out to dinner one evening (I don't recall when, alas, but I didn't meet him
until '80 or so), and he mentioned this horrible Unix security bug that had
just been found. All he would tell me about it (IIRC) was that it involved
ptrace.
So, over dinner (without the source) I figured out what it had to be:
patching SUID programs. So I asked him if that was what it was, and I don't
recall his exact answer, but I vaguely recall he hemmed and hawed in a way
that let me know I'd worked it out.
So when we got back from dinner, I looked at the source to our system to see
if I was right, and.... it had already been fixed! Here's the code:
if (xp->x_count!=1 || xp->x_iptr->i_mode&ISVTX)
goto error;
Now, we'd been running that system since '77 (when I joined CSR), without any
changes to that part of the OS, so I'm pretty sure this fix pre-dates your
story?
So when I saw your email about this, I wondered 'did that bug get fixed at
MIT when some undergrad used it to break in' (I _think_ ca. '77 is when they
switched from an OS called Delphi on the -11/45 used for the undergrad CS
programming course - I _think_ they switched that machine from Delphi to
Unix), or did it come with PWB1? (Like I said, that system was mostly PWB1.)
So I just looked in the PWB1 sources, and... there it is, the _exact_ same
fix. So we must have got it from PWB1.
So now the question is: did the PWB guys find and fix this, and forget to
tell the research guys? Or did they tell them, and the research guys blew
them off? Or what?
Noel
next reply other threads:[~2017-05-12 23:30 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-05-12 23:30 Noel Chiappa [this message]
2017-05-12 23:38 ` Dave Horsfall
2017-05-12 23:52 ` Random832
2017-05-13 0:26 ` Dave Horsfall
2017-05-13 0:48 ` Random832
2017-05-13 0:22 ` Clem Cole
2017-05-13 0:23 ` Clem Cole
[not found] <mailman.1.1494986402.2329.tuhs@minnie.tuhs.org>
2017-05-19 14:31 ` David
-- strict thread matches above, loose matches on Subject: below --
2017-05-16 13:20 Noel Chiappa
2017-05-16 13:46 ` Clem Cole
2017-05-14 21:44 Noel Chiappa
2017-05-13 1:25 Noel Chiappa
2017-05-13 0:44 Noel Chiappa
2017-05-13 0:51 ` Random832
2017-05-13 0:55 ` Dave Horsfall
2017-05-13 1:17 ` Chris Torek
2017-05-13 15:25 ` Steve Simon
2017-05-13 16:55 ` Clem Cole
2017-05-13 17:19 ` William Pechter
2017-05-14 12:55 ` Derek Fawcus
2017-05-14 22:12 ` Dave Horsfall
2017-05-15 1:24 ` Nemo
2017-05-15 18:00 ` Steve Johnson
2017-05-16 22:33 ` Ron Natalie
2017-05-16 23:13 ` Arthur Krewat
2017-05-16 23:18 ` Ron Natalie
2017-05-13 23:01 ` Dave Horsfall
2017-05-12 18:43 Doug McIlroy
2017-05-12 18:56 ` Dan Cross
2017-05-12 19:43 ` Clem Cole
2017-05-12 20:06 ` Clem Cole
2017-05-12 20:40 ` Jeremy C. Reed
2017-05-12 21:29 ` Clem Cole
2017-05-12 21:29 ` Ron Natalie
2017-05-12 15:12 Noel Chiappa
2017-05-12 15:17 ` Clem Cole
2017-05-12 15:18 ` Clem Cole
2017-05-12 15:46 ` Clem Cole
2017-05-11 17:08 Noel Chiappa
2017-05-11 21:34 ` Dave Horsfall
2017-05-11 14:07 Noel Chiappa
2017-05-11 14:21 ` Larry McVoy
2017-05-11 16:17 ` Clem Cole
2017-05-11 17:11 ` Michael Kjörling
2017-05-11 21:44 ` Dave Horsfall
2017-05-11 22:06 ` Warner Losh
2017-05-12 6:24 ` Hellwig Geisse
2017-05-12 21:12 ` Dave Horsfall
2017-05-12 23:25 ` Hellwig Geisse
2017-05-11 16:15 ` Clem Cole
2017-05-11 16:52 ` Warner Losh
2017-05-11 17:12 ` Clem Cole
2017-05-11 20:37 ` Ron Natalie
2017-05-11 22:25 ` Larry McVoy
2017-05-11 22:30 ` Ron Natalie
2017-05-11 23:47 ` Dave Horsfall
2017-05-11 23:48 ` Ron Natalie
2017-05-12 0:21 ` Larry McVoy
2017-05-12 2:42 ` Warner Losh
2017-05-12 0:16 ` Larry McVoy
2017-05-12 1:41 ` Wesley Parish
2017-05-12 1:05 ` Toby Thain
2017-05-12 8:17 ` Michael Kjörling
2017-05-12 13:56 ` Tim Bradshaw
2017-05-12 14:22 ` Michael Kjörling
2017-05-12 14:30 ` Larry McVoy
2017-05-12 15:11 ` Tim Bradshaw
2017-05-12 15:52 ` Chet Ramey
2017-05-12 16:21 ` Warner Losh
2017-05-12 8:15 ` Harald Arnesen
2017-05-14 4:30 ` Theodore Ts'o
2017-05-14 17:40 ` Clem Cole
2017-05-10 14:08 Diomidis Spinellis
2017-05-10 14:38 ` Steffen Nurpmeso
2017-05-10 23:09 ` Erik Berls
2017-05-11 12:40 ` Steffen Nurpmeso
2017-05-11 0:49 ` Clem Cole
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170512233012.7B9DB18C099@mercury.lcs.mit.edu \
--to=jnc@mercury.lcs.mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).