[1195] in bugtraq
how not to ship an O/S - more on Irix 5.2
daemon@ATHENA.MIT.EDU (anthony baxter)
Tue Mar 7 02:39:01 1995
To: bugtraq@fc.net
From: anthony baxter <anthony.baxter@aaii.oz.au>
Reply-To: anthony.baxter@aaii.oz.au
Date: Tue, 07 Mar 1995 16:21:08 +1000
Now, who can pick the dangerous habit here:
First, Irix 5.2's setmon(1G) man page:
setmon changes the video output format to the one specified; it also
specifies the default video format to be used at system power-up or
graphics initialization. setmon should be invoked after you have
acquired root privileges.
Next, setmon, as shipped:
-r-sr-xr-x 1 root sys 117840 Mar 5 1994 /usr/gfx/setmon
If it's only meant to be run by root, why give it the setuid bit?
I'm also not going to ask why /usr/lib/addnetpr is setuid root, especially
when a 'strings' on it reveals what seems to be very likely to be 'system()'
or 'popen()' calls.
(strings gives, in part:
PRINTER
%s -P%s
I wonder what PRINTER="foo;/bin/rm /etc/passwd" would do)
And yes, it has it's own security checks in it - but I'd feel much
happier if the security checks were left to the operating system, where
they belong - there's much less chance of screwing up, that way.
I was going to continue looking at the different setuid programs, but
this is getting too depressing. Look, just go through the system, take
the setuid bit off each program that has it, check it still works, if it
does, leave it off. If it's not going to be run by users, leave it off.
It's not a difficult thing to do. Wish SGI had done it before shipping.
Anthony
