On Tue, Aug 10, 1999 at 10:36:13AM -0500, Topher Hughes wrote: > at some point in time in the past either 1)netscape, 2) a patch or 3)me > set the set-gid bit on the /usr/spool/calendar directory. this > effectively stops it - the created files are all in the daemon group. > > *shrug* as soon as I figure out why that bit is set, I'll probably post > what fixed it. Ehrm, the SGID bit is set on the system I'm on too, I think it's the default. :-) That does not affect the bug though. Try: ln -s /filetocreate /usr/spool/calendar/.lock.<hostname> Several people have pointed out that Solaris 7 is not vulnerable, since the directory is only writeable to user and group daemon. One post also told me that he tested the bug on a Solaris 2.6 x86 system, where the link was deleted before creation of the file. Maybe Suns security guru Casper Dik could tell the rest of Bugtraq which patches there are for Solaris 2.6 that fixes this bug? :-) I don't know what patches are installed on the system where I found the bug, but both the race that let a user chown/chmod a file (since I saw in the truss-output that fchmod() and fchown() was used on the open filedescriptor instead) and the buffer overflow in the -d command line argument was fixed. -- Joel Eriksson jenat_private Security Consultant
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:55:55 PDT