[1069] in linux-security and linux-alert archive
Re: [linux-security] RESOLV_HOST_CONF
daemon@ATHENA.MIT.EDU (C. Hodges)
Sun Aug 25 20:27:43 1996
Date: Sun, 25 Aug 1996 14:37:19 -0500
To: linux-security@tarsier.cv.nrao.edu, linux-alert@tarsier.cv.nrao.edu
From: "C. Hodges" <chodges@computek.net>
[Mod: Some quoting trimmed. --Jeff.]
At 12:48 AM 8/25/96 -0500, Jordy <jordy@newport.thirdwave.net> wrote:
>
>Sigh, I don't know why, but for some reason no one has brought up the
>RESOLV_HOST_CONF hack which is present in well, just about every
>resolv+ library ever.
it's been talked about a lot on Bugtraq... :>
>Real Patch isn't really available yet, from what i can see. You can modify
*ahem* for the most part, yes it is... NetKit-B-0.08 has at least ping and
others (?) fixed, but for some strange reason, he didn't bother to fix
finger tho... :\ (i also heard that ssh contains it too, haven't tried it yet)
[Mod: 'finger' isn't suid like 'ping' et al. --Jeff.]
actually, the library itself *SHOULD* be patched, but patched programs that
call it are almost good enough... (at least, until they find more progs that
have it)
>[REW: On Picasso: My ping isn't statically linked. My ping binary and
>my libc don't have the string RESOLV_HOST_CONF. My ping still opens
>/etc/resolv.conf when I set this environment variable.
>
>The proposed patch wont help a lot. chsh tcsh; Use csh syntax, or
>write a program to pass a suitable environment yourself.
>
ftp.linux.org.co.uk:/pub/linux/Networking/base/NetKit-B-0.08.tar.gz
until a newer one comes out that patches finger, anyway...