|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: regarding the (ex)preserve holes
William McVey (wam
cs.purdue.edu)Fri, 16 Dec 1994 15:00:20 -0500
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Matthew Harding: "Yesterday this would have worked... (fwd)"
- Previous message: Matthew Harding: "regarding the (ex)preserve holes"
- Maybe in reply to: Matthew Harding: "regarding the (ex)preserve holes"
- Next in thread: Timothy Newsham: "Re: regarding the (ex)preserve holes"
Matthew Harding wrote:
>How does one go about determining the dangerousness of the (ex)preserve
>holes? I notice on my SunOS 4.1.x systems that both expreserve and
>exrecover are suid root, but I assume that the latest versions of either
>the editors or the OS ignore this when playing with the IFS variables.
>Please tell me this is a correct assumption! I'm not sure if our
>friends at 8lgm etc. have a script for this, but I'm curious as to the
>ongoing danger of these holes.
I know that the unpatched Sun 4.1.? version of expreserve also suffered
from a race condition where you could trick it into writing it's
tempfile onto a symlink to a root owned file. The patch number is
101579-01 (It's on the Solaris 1.1.1 Recommended Patches list.)
Some of the free UNIX OSs (FreeBSD and NetBSD) as recently as like a
year ago still had a setuid expreserve that called system(3) to
send notification mail. (They have since switched to nvi, which
has a far superior method of handling editor preserves).
-- William McVey
Instructional Labs Administrator
Purdue Universtiy CS Dept.
- Next message: Matthew Harding: "Yesterday this would have worked... (fwd)"
- Previous message: Matthew Harding: "regarding the (ex)preserve holes"
- Maybe in reply to: Matthew Harding: "regarding the (ex)preserve holes"
- Next in thread: Timothy Newsham: "Re: regarding the (ex)preserve holes"