>>>>> "Hubert" == Hubert Feyrer <feyrerat_private-REGENSBURG.DE> writes: Hubert> Hi, I've discovered a bug in Solaris 2.5 and 2.6's pax Hubert> (probably others) that might be exploited somehow - at $ ls -l $(which pax) -r-xr-xr-x 1 bin bin 56908 Oct 25 1995 /usr/bin/pax $ man pax [skip] In read or copy modes, if intermediate directories are necessary to extract an archive member, pax will perform actions equivalent to the mkdir(2) function, called with the following arguments: o the intermediate directory used as the path argument o the octal value of 777 or rwx (read, write, and exe- cute permissions) as the mode argument (see chmod(1)). [skip] So, pax is not root setuid and such behavior is specified in manual. If you are running utilities under root and don't read manuals, your system will be full of security holes. "rm -rf /" is the example of such exploit. If you don't know what "rm" does, you may think that it has security holes. But it doesn't, IMHO. -- Victor Lavrenko Homepage: http://www.lavrenko.pp.ru/ E-mail: lavrenkoat_private lavrenkoat_private Fingerprint: 35 D0 98 8D 96 E5 F4 BA 59 FB 9D 29 92 26 F5 59
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:47 PDT