From: Bill Stewart <stewarts@ix.netcom.com>
To: mpd@netcom.com (Mike Duvos)
Message Hash: 2714ce0b7844640fd6e9186c3137a57f232ccc2d1271b0e8d481c95f28dbddc2
Message ID: <3.0.1.32.19970222160819.00646170@popd.ix.netcom.com>
Reply To: <Pine.GSO.3.95.970222170729.18883B-100000@sundy.cs.pub.ro>
UTC Datetime: 1997-02-23 00:09:06 UTC
Raw Date: Sat, 22 Feb 1997 16:09:06 -0800 (PST)
From: Bill Stewart <stewarts@ix.netcom.com>
Date: Sat, 22 Feb 1997 16:09:06 -0800 (PST)
To: mpd@netcom.com (Mike Duvos)
Subject: Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit
In-Reply-To: <Pine.GSO.3.95.970222170729.18883B-100000@sundy.cs.pub.ro>
Message-ID: <3.0.1.32.19970222160819.00646170@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain
At 09:36 AM 2/22/97 -0800, Mike Duvos wrote:
>> Another hole in Solaris
>Horrors no!
.....
>Where would Unix be without symbolic links and race conditions?
>
>This is cute, in that rather than having to mung a symbolic link on
>the fly, the program conveniently asks for user input with suid set,
>and then pauses while you set the trap.
As with many programs from the BSD universe, it's running with
root privileges when it could have gotten by with group privileges
or run as "nobody" or some other safe approach instead....
# Thanks; Bill
# Bill Stewart, +1-415-442-2215 stewarts@ix.netcom.com
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
# (If this is a mailing list, please Cc: me on replies. Thanks.)
Return to February 1997
Return to “mpd@netcom.com (Mike Duvos)”