Re: regarding the (ex)preserve holes

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Matthew Harding: "Yesterday this would have worked... (fwd)"
• Previous message: Matthew Harding: "regarding the (ex)preserve holes"
• Maybe in reply to: Matthew Harding: "regarding the (ex)preserve holes"
• Next in thread: Timothy Newsham: "Re: regarding the (ex)preserve holes"

Matthew Harding wrote:
>How does one go about determining the dangerousness of the (ex)preserve
>holes? I notice on my SunOS 4.1.x systems that both expreserve and 
>exrecover are suid root, but I assume that the latest versions of either
>the editors or the OS ignore this when playing with the IFS variables.
>Please tell me this is a correct assumption! I'm not sure if our
>friends at 8lgm etc. have a script for this, but I'm curious as to the
>ongoing danger of these holes.

I know that the unpatched Sun 4.1.? version of expreserve also suffered
from a race condition where you could trick it into writing it's
tempfile onto a symlink to a root owned file.  The patch number is
101579-01 (It's on the Solaris 1.1.1 Recommended Patches list.)

Some of the free UNIX OSs (FreeBSD and NetBSD) as recently as like a 
year ago still had a setuid expreserve that called system(3) to 
send notification mail.  (They have since switched to nvi, which 
has a far superior method of handling editor preserves).

 -- William McVey
    Instructional Labs Administrator
    Purdue Universtiy CS Dept.

• Next message: Matthew Harding: "Yesterday this would have worked... (fwd)"
• Previous message: Matthew Harding: "regarding the (ex)preserve holes"
• Maybe in reply to: Matthew Harding: "regarding the (ex)preserve holes"
• Next in thread: Timothy Newsham: "Re: regarding the (ex)preserve holes"