Puzzle of the Day

A network filter monitors connections and sends mail to the system administrators whenever a new connection is opened. The filter determines the IP address of the remote host from the initial packet exchange that sets up the connection, and maps that to a name. The variable ipaddr contains the IP address of the remote host:
if ((hp = gethostbyaddr((char *) &ipaddr, sizeof(ipaddr), AF_INET)) == NULL){
    neterror("gethostbyaddr", h_errno);
    hname = "unknown";
    hname = hp->h_name;
The filter uses the host name in the routine mpopen, which provides a safe environment for spawning subprocesses (it resets the PATH and IFS shell variables to known safe values, among other things) but otherwise acts like popen(3):
len = strlen(hname) + strlen("mail -s %s root") + 1;
if ((p = malloc(len * sizeof(char))) == NULL){
	syserror("malloc", errno);
	goto ohdarn;
(void) sprintf(p, "mail -s %s root", hname);
if ((pp = mpopen(p, "w")) == NULL){
	syserror("mpopen", errno);
	goto ohdarn;
tick = time(NULL);
fprintf(pp, "Connection from this host made at %s",
  1. Under what conditions is this safe, in the sense that an attacker cannot do anything to damage the system as a result of the filter's actions?
  2. For those conditions in which it is not safe, how would you make it safe?

You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
Send email to cs153@csif.cs.ucdavis.edu.

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 3/1/98