|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [Full-Disclosure] AIX 4.3.3 has make sgid 0?
Valdis.Kletnieks
vt.edu
Date: Mon Mar 22 2004 - 12:08:08 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Mon, 22 Mar 2004 15:16:15 GMT, BoneMachine <bonemachsdf.lonestar.org> said:
> Hello
> I was browsing the SecurityFocus vulnerability database and found the following:
> http://www.securityfocus.com/bid/9903
> "Because the make utility is reported to run with setGID root privileges, a local attacker may potentially exploit this condition to gain access to the root group"
>
> Is this true ? I cannot believe that IBM has an setGID root-bit on the make utillity. This goes against all security practices I've ever heard.
Looks like a crock to me. We still have one AIX 4.3.3 box left around:
[~]1 uname
AIX
[~]1 oslevel
4.3.3.0
[~]1 ls -l /bin/make
lrwxrwxrwx 1 bin bin 17 Feb 12 2003 /bin/make -> /usr/ccs/bin/make
[~]1 ls -lL /bin/make
-r-xr-xr-x 1 bin bin 90234 Jul 18 2001 /bin/make
[~]1 lslpp -L bos.adt.base
Fileset Level State Description
----------------------------------------------------------------------------
bos.adt.base 4.3.3.77 C Base Application Development
Toolkit
So if it was ever sgid 0, IBM fixed that sometime before July 2001.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh version 2.5 07/13/2001
iD8DBQFAXyuIcC3lWbTT17ARAsjAAKCM54CBHGfwOaL0XZtyq2g03Y3mBQCfZ+E/
lbr5lP99uouqdJ6qPPtzAhA=
=ob3D
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]