Re: [SERVER, SECURITY] bug in set_task_perms() ?

• Date: Thu, 21 Sep 1995 13:35:09 PDT
• From:
  bartmoss@mistral.co.uk
• Content-Type: text/plain; charset="us-ascii"

>Some time ago, Rui pointed out that the current definition of
>set_task_perms() may lead to a security hole.
>The problem is that wizperms can set_task_perms() to an invalid object.
>Some verbs rely on testing whether valid(caller_perms()), as a general test
>for 'am I being called from command line, or from another verb?', just
>because this is cheaper than using callers(). But setting task perms to an
>invalid may fool this.
>I suggest that bf_set_task_perms be modified to return E_INVARG if the
>wizard attempts to set_task_perms() to an invalid object. The modification
>is very simple. In execute.c, modify:
>

How is this a security hole, I may be missing the point but if a programmer 
could do this then I would agree. But, a wizard may need to do it, I did and 
why would it be wrong to have it as a possible wizards tool? They can do 
practically anything anyway.


-Chris.

• Prev: [SERVER, SECURITY] bug in set_task_perms() ?
• Next: Re: [SERVER, SECURITY] bug in set_task_perms() ?
• Index: MOO-cows
• Thread: MOO-cows