[5451] in bugtraq
Re: IRIX /var/inst/patchbase
daemon@ATHENA.MIT.EDU (Alain Renaud)
Sat Oct 25 11:14:22 1997
Date: Sat, 25 Oct 1997 09:28:07 -0400
Reply-To: Alain Renaud <renauda@SGI.COM>
From: Alain Renaud <renauda@SGI.COM>
X-To: Paul Tatarsky <paul@CSE.UCSC.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199710231648.JAA18620@tequila.cse.ucsc.edu>
The patchbase directory is always 700 the only way to change that is to
do it by hand. So I don't see this as a major issue... the reason the
patchbase directory exist is to be able to remove a patch after it's been
install. if you fell there is an issue you can always do
cd /var/inst/patchbase
rm -rf .
This will only prevent you from removing the patch you installed....
Hope this help.
____________________________________________________________________
Alain Renaud renauda@sgi.com
Region Technical Analyst Silicon Graphics Cray Research Inc.
"Have a nice day! ... Unless you have other plans ...."
____________________________________________________________________
On Thu, 23 Oct 1997, Paul Tatarsky wrote:
> I checked to see if this had been brought up before on Bugtraq, if it
> has been, I apologize. Didn't see it in the archive.
>
> Has anyone ever noticed that the IRIX inst patch installs hide away
> a copy of the patched binary in /var/inst/patchbase?
>
> While fine I guess for some things where a rollback might be needed, I
> also noticed that the various setuid buffer overrun binaries that we
> patched are saved away with the setuid bits retained.
>
> For example (as root):
>
> cd /var/inst/patchbase/usr/bsd
> ls -al ordist
> -rwsr-xr-x 1 root sys 79208 Sep 1 15:42 ordist*
>
> Now, while so far I haven't found /var/inst/patchbase directory
> permissions set to anything but root owner, mode 700, I wonder if that
> is just thanks to the umask when the inst program is first run? Does
> anyone have a world/group readable /var/inst/patchbase? Because if
> you do, you could still have a problem.
>
> We are now considering adding this step to adding a patch that is for
> setuid buffer overflow style problems in IRIX.
>
> versions removehist patchSGxxxxxxx
>
> That cleans up the stored patchbase items according to the README's.
> I don't know if that creates any other problems in installing future
> patches. Of course you could always remove the setuid bit as well.
>
> I'd be curious if other vendors store away patched binaries setuid
> like that. Doesn't seem like a real good idea.
>
> --------------------------------------------------------------------
> Paul Tatarsky paul@cse.ucsc.edu
> UC Santa Cruz
> CE/CIS Systems Manager
> --------------------------------------------------------------------
>
