For those of you using Digital Unix, here's what I've found so far about the dtappgather bug... The patch in 4.0D patch kit 2 fixes the part of the bug that changes the ownership of any file to the user running dtappgather, but it does *NOT* fix the part that changes the protection on the file. For example, when I tried it using /etc/passwd as the target, the owner stayed the same but the protection changed from 644 to 555. This is still a problem, in that you can get read access to any file on the system. I checked patch kit 8 for 4.0B, and it behaves the same as the patched 4.0D dtappgather. I still suggest turning off the suid bit on dtappgather until we get a fix from Digital. I have reported this to Digital. Mike Iglesias Internet: iglesiasat_private University of California, Irvine phone: 949-824-6926 Office of Academic Computing FAX: 949-824-2069
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:22:14 PDT