[4031] in bugtraq
Re: IRIX: Bug in startmidi
daemon@ATHENA.MIT.EDU (Steve M. Acheson)
Mon Feb 10 14:35:36 1997
Date: Mon, 10 Feb 1997 09:18:56 -0800
Reply-To: "Steve M. Acheson" <sma@NAS.NASA.GOV>
From: "Steve M. Acheson" <sma@NAS.NASA.GOV>
X-To: Astley Chan <astley@DMF328.UST.HK>
To: BUGTRAQ@netspace.org
In-Reply-To: Your message of "Mon, 10 Feb 1997 12:52:55 +0800."
<199702100452.MAA10574@dmf328.ust.hk>
> > > Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I
> > > noticed a little suid-root program called 'startmidi' which hides in
> > > /usr/sbin. When run, this program creates various files in /tmp. You
> > > guessed it, it respects umask and follows symlinks. Comme ca:
[ example ...]
> > eh... that's strange. I was looking at startmidi a while back, but didn't
> > find any root holes. Now I look again, still nothing. Indeed, on my 5.3
>
> umm..I can successfully create file owned by root..
>
> > You must have some special configuration, I recon. On the box I was testing
>
> I don't think it's special to his machine, I've got the same behaviour
> as described (though stopmidi can't remove the file already in /tmp).
All of my systems, 5.3/6.2/6.3 are immune to this problem. We also have all
of the security patches installed.
Something I did notice, is that when it creates the socket in /tmp/midififo,
it properly deals with user perms, and doens't follow symlinks, but it doesn't
reset the group of the fifo. It left it as my primary group.
While the permissons of it are 600 it isn't a big concern, but it probably
would be better as group root.
Just my paranoia...
Satch
--
================================================================
Steve Acheson sma@nas.nasa.gov
Numerical Aerospace Simulation Facility 415-604-4495
NASA Ames - MS 258-6
Moffett Field, Ca 94035-1000
