[8126] in bugtraq
Re: using Solaris pax to get files mode 777
daemon@ATHENA.MIT.EDU (Victor Lavrenko)
Tue Oct 6 16:21:51 1998
Date: Tue, 6 Oct 1998 14:54:32 +0400
Reply-To: lavrenko@MCST.RU
From: Victor Lavrenko <lavrenko@MCST.RU>
X-To: feyrer@RFHS8012.FH-REGENSBURG.DE
To: BUGTRAQ@NETSPACE.ORG
>>>>> "Hubert" == Hubert Feyrer <feyrer@RFHS8012.FH-REGENSBURG.DE> writes:
Hubert> Hi, I've discovered a bug in Solaris 2.5 and 2.6's pax
Hubert> (probably others) that might be exploited somehow - at
$ ls -l $(which pax)
-r-xr-xr-x 1 bin bin 56908 Oct 25 1995 /usr/bin/pax
$ man pax
[skip]
In read or copy modes, if intermediate directories are
necessary to extract an archive member, pax will perform
actions equivalent to the mkdir(2) function, called with the
following arguments:
o the intermediate directory used as the path argument
o the octal value of 777 or rwx (read, write, and exe-
cute permissions) as the mode argument (see
chmod(1)).
[skip]
So, pax is not root setuid and such behavior is specified in
manual. If you are running utilities under root and don't read manuals,
your system will be full of security holes. "rm -rf /" is the example
of such exploit. If you don't know what "rm" does, you may think that
it has security holes. But it doesn't, IMHO.
--
Victor Lavrenko
Homepage: http://www.lavrenko.pp.ru/
E-mail: lavrenko@mcst.ru lavrenko@cs.msu.su
Fingerprint: 35 D0 98 8D 96 E5 F4 BA 59 FB 9D 29 92 26 F5 59
