On Tue, 7 Mar 1995, Software Test Account wrote: > On Fri, 3 Mar 1995, Christian A. Ratliff wrote: > > > On Thu, 2 Mar 1995 14:03:03 -0500 (EST) Larry Glaze wrote: [ ... there's a huge gaping idiotic bug in IRIX's /usr/lib/desktop/permissions ... ] > > The hole comes from the authentication being at the _dirview_ (an SGI > > directory browser) level. You can only pull up 'permissions' when the menu > > item is not grayed out. If you run 'permissions' by hand, you eliminate > > that check and have root access to the permissions on an file. > > Turning the setuid/setgid bit off is a perfectly sensible solution to > > this problem, and it is beyond me why that wasn't the default permissions. > > > > I attempted to verify this problem on one of our SGI IRIX 5.2 boxes and > found that with or without the sgid/suid bits set and from dirview or > from the command line -- the permissions routine prompts you for a name > and password of a priveledged user. Yeah, but it changes the modes on the target file *BEFORE EVEN ASKING FOR THE PASSWORD* (if you double click 'apply'). And it doesn't care if you enter the wrong password! -- Steve Robbins -- Consultant in Computerology steve@cim.mcgill.ca