Re: Large security hole in SGI IRIX 5.2

Steve Robbins (steve@cim.mcgill.ca)
Fri, 10 Mar 1995 12:21:18 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Leo Bicknell: "Re: bsd in.talkd+antiflash remote-remote hole"
Previous message: Mikael Simovits: "bsd in.talkd+antiflash remote-remote hole"
In reply to: Software Test Account: "Re: Large security hole in SGI IRIX 5.2"

On Tue, 7 Mar 1995, Software Test Account wrote:

> On Fri, 3 Mar 1995, Christian A. Ratliff wrote:
> 
> > On Thu, 2 Mar 1995 14:03:03 -0500 (EST)  Larry Glaze wrote:

[ ... there's a huge gaping idiotic bug in IRIX's 
  /usr/lib/desktop/permissions ... ]

> >   The hole comes from the authentication being at the _dirview_ (an SGI 
> > directory browser) level. You can only pull up 'permissions' when the menu 
> > item is not grayed out. If you run 'permissions' by hand, you eliminate 
> > that check and have root access to the permissions on an file.
> >   Turning the setuid/setgid bit off is a perfectly sensible solution to 
> > this problem, and it is beyond me why that wasn't the default permissions.
> >
> 
> I attempted to verify this problem on one of our SGI IRIX 5.2 boxes and 
> found that with or without the sgid/suid bits set and from dirview or 
> from the command line -- the permissions routine prompts you for a name 
> and password of a priveledged user. 

Yeah, but it changes the modes on the target file *BEFORE EVEN ASKING FOR
THE PASSWORD* (if you double click 'apply').  And it doesn't care if you
enter the wrong password! 

--
                Steve Robbins -- Consultant in Computerology
                         steve@cim.mcgill.ca

Next message: Leo Bicknell: "Re: bsd in.talkd+antiflash remote-remote hole"
Previous message: Mikael Simovits: "bsd in.talkd+antiflash remote-remote hole"
In reply to: Software Test Account: "Re: Large security hole in SGI IRIX 5.2"