From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 22 Feb 1997 16:09:06 -0800 (PST)
To: mpd@netcom.com (Mike Duvos)
Subject: Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
In-Reply-To: <Pine.GSO.3.95.970222170729.18883B-100000@sundy.cs.pub.ro>
Message-ID: <3.0.1.32.19970222160819.00646170@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain


At 09:36 AM 2/22/97 -0800, Mike Duvos wrote:
>> Another hole in Solaris
>Horrors no!  

.....

>Where would Unix be without symbolic links and race conditions?  
>
>This is cute, in that rather than having to mung a symbolic link on
>the fly, the program conveniently asks for user input with suid set,
>and then pauses while you set the trap.  

As with many programs from the BSD universe, it's running with
root privileges when it could have gotten by with group privileges
or run as "nobody" or some other safe approach instead....


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)