[8415] in bugtraq
Re: another /usr/dt/bin/dtappgather feature!
daemon@ATHENA.MIT.EDU (Casper Dik)
Wed Nov 4 21:23:50 1998
Date: Wed, 4 Nov 1998 12:43:58 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 02 Nov 1998 18:05:59 +0100."
<Pine.HPP.3.96.981102175301.25800A-100000@amb1.amb.polimi.it>
>There's attached the message related to this new feature..
>the /usr/dt/bin/dtappgather program tries to read the enviroment variable
>$DTUSERSESSION to get the name of the file to seek for.
>The file is searched in /var/dt/appconfig/appmanager.
>Under SunOS 5.5,5.5.1 (aka Solaris 2.5, 2.5.1) that directory is 777 or
>01777 so you're able to make a simbolic link to the file you wish, but on
>SunOS 5.6 (Solaris 2.6) the directory is 755 to avoid this.
>Unfortunately the dtappgather never check the $DTUSERSESSION variable, so
>you can use the syntax ../../.. etc... to grab the file you wish, even if
>you can't write the /var/dt/appconfig/appmanager directory....
Unless I'm very much mistaken, this is fixed in Solaris 7 as well as
with the following Solaris 2.x patches:
104497-04: CDE 1.0.1: dtappgather patch
104498-04: CDE 1.0.2: dtappgather patch
104499-04: CDE 1.0.1_x86: dtappgather patch
104500-04: CDE 1.0.2_x86: dtappgather patch
105837-02: CDE 1.2: dtappgather Patch
105838-02: CDE 1.2_x86: dtappgather Patch
(Released in March & June this year)
For /var/dt permissions, you need:
103882-08: CDE 1.0.2: dtlogin patch for login authentication issues
103884-06: CDE 1.0.1: dtlogin patch
103885-06: CDE 1.0.1_x86: dtlogin patch
103886-07: CDE 1.0.2_x86: dtlogin patch for login authentication issues
This was fixed in 2.6, but you still need to apply the following for other
problems:
105703-07: CDE 1.2: dtlogin patch
105704-07: CDE 1.2_x86: dtlogin patch
I'm not 100% sure the 2.5* patches will correct the permissions on
existing directories. They will create new directories with the proper
permissions.
Casper
