> > > > The best solution is to make sure you don't have suid shell scripts > > > Cops does a fine job in finding them for you so does: > > > > > > find / \( -type d -fstype nfs -prune \) -o -type f \( -perm -4001 -o -perm > > > -4010 -o -perm -4100 -o -perm -2100 -o -perm -2010 -o -perm -2001 \) > > > > > > If I remeber correctly SunOS 4.1.x is just one of those UNIX systems that > > > allows suid shell scripts. I don't think this will be 'fixed'. > > > But you can always try to mail security-alert@Sun.COM. > > > > > > > > Of course you can always mount your filesystems `nosuid'. > > The "correct" thing to do is to patch kern_exec.c (kern_exec.o). > This is nontrivial if you don't have source. It's trivial > if you do (I don't). No one has done this publically as of yet. > > Thinking about it, I wonder if the BSD kern_exec is "good enough". > If so, perhaps it could be substituted. Anyone? (Casper?) Its not trivial, I think there are a lot of subtle differences. I understand SunOS 4.1.x's kern_exec.o is based on the BSD 4.3 version (@(#)kern_exec.c 7.1 (Berkeley) 6/5/86) but a lot must have changed for SunOS. Eg: 1. BSD 4.3 uses inodes for pathname lookups/file access; SunOS uses vnodes. Their corresponding different operations (eg rdwri() & vn_rdwr()) have different interfaces. [Maybe one of the later 4.3BSD's (reno?) which incorporate vnodes might be easier to start from..] 2. BSD 4.3 pathname lookups use namei(), SunOS uses pn_get() & lookuppn(). 3. BSD 4.3 has no concept of 'nosuid' mounted filesystems. 4. On SunOS, the exdata struct is part of the user struct, on BSD 4.3 its just local to execve(), and - just to make it more fun :) - all the corresponding field names are different. 5. SunOS execve() must have support for other SunOS specific bits that BSD 4.3 doesnt have, like support for trace(1), asynch io & fcntl(2) style record locks. etc etc etc. In short I dont think it could be attempted without access to SunOS source - and obviously the people with access have no reason to attempt it! Maybe if enough people scream Sun will put out a patched kern_exec.o, or at least allow someone else to do it. ------------------------------------------+----------------------------------- Mailed using ELM on FreeBSD | Karl Strickland PGP 2.3a Public Key Available. | Internet: karl@bagpuss.demon.co.uk |