[Coco] setuid? wasRe: Telnet to your CoCo.. and invite 6 of your friends

[Aaron Wolfe]

The OS9 F$SUser works as described in the docs.  It will let you
become any user you'd like.  I wrote a tiny (41 bytes in module form)
'su' command to verify, the relevant code is:

            ldy		#0				;lets be user 0
            os9		F$SUser

            ldd		#$1101
            leax	        shell,pcr
            os9		F$Chain			;chain to shell

An example of use:

NitrOS-9/6309 Level 2 V3.2.9 on the Tandy Color Computer 3  2009/11/29 08:02:27


User name?: aaron
Password: test

Process #04 logged on   2009/11/29 08:02:33
Welcome!

Welcome to NitrOS-9 Level 2!


Shell+ v2.2a 09/11/29 08:02:33

{T1|04}/DD:procs

         User                     Mem Stack
Id  PId Number  Pty Age Sts Signl Siz  Ptr   Primary Module
--- --- ------- --- --- --- ----- --- ----- ----------------
  4   3     1   128 128 $80    0   31 $5DDE Shell
  5   4     1   128 128 $80    0   31 $1EF1 Procs

{T1|04}/DD:su

Shell+ v2.2a 09/11/29 08:02:45

{T1|05}/DD:procs

         User                     Mem Stack
Id  PId Number  Pty Age Sts Signl Siz  Ptr   Primary Module
--- --- ------- --- --- --- ----- --- ----- ----------------
  2   1     0   128 131 $80    0   31 $64DE Shell
  3   2     0   128 131 $80    0   31 $61DE Tsmon
  5   4     0   128 128 $80    0   31 $5BDE Shell
  6   5     0   128 128 $80    0   31 $1EF1 Procs

{T1|05}/DD:




On Sun, Nov 29, 2009 at 3:44 AM, Willard Goosey <goosey at virgo.sdc.org> wrote:

> On Sat, Nov 28, 2009 at 08:37:21PM -0800, Wayne Campbell wrote:

>

>>OS-9 allows you to set access permissions based on the attributes of

>>the file/folder/program. In order for a user to use a program, they

>>have to have permission to access the directory, and the file and/or

>>program to use it.

>>

> True.  The filesystem's security seems to work fine.

>

>> With this in mind, one can establish a userlevel that makes it

>> possible to prevent users with lower access levels from using or

>> accessing things requiring higher access levels. Is this not the

>> case with OS-9?

>

> Actually, that's the part we're trying to figure out... ;-)

>

> Just like in UNIX there's a setuid() system call.  If it makes even a

> reasonable attempt to be secure (only user 0 is allowed to setuid)

> then we're pretty much OK.

>

> However, Tandy's documentation says it doesn't.  It claims any user

> can setuid to any other user-number.

>

> So, I tried to test this with a C version of su(1) from Rainbow.  The

> binary was corrupt, so I had to recompile it... And it worked

> properly.  User 0 can setuid to any user number, but other users aren't

> allowed to.

>

> Just to make this further ambiguous, the Microware C manual says that

> setuid() only works for user 0.  The manual for Kreider C lib agrees,

> but provides asetuid(), which succeeds even if you aren't user 0!

>

> Someone's going to have to either try an assembly version of su or

> read the source.

>

> And not me (at least not tonight)!  I've got other things to hack

> tonight.  Starting with the dished. :-(

>

> Willard

> --

> Willard Goosey  goosey at sdc.org

> Socorro, New Mexico, USA

> I search my heart and find Cimmeria, land of Darkness and the Night.

>  -- R.E. Howard

>

> --

> Coco mailing list

> Coco at maltedmedia.com

> http://five.pairlist.net/mailman/listinfo/coco

>