[8435] in bugtraq
Re: another /usr/dt/bin/dtappgather feature!
daemon@ATHENA.MIT.EDU (Mike Iglesias)
Fri Nov 6 12:40:16 1998
Date: Thu, 5 Nov 1998 09:26:19 -0800
Reply-To: Mike Iglesias <iglesias@DRACO.ACS.UCI.EDU>
From: Mike Iglesias <iglesias@DRACO.ACS.UCI.EDU>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of Wed, 04 Nov 1998 12:43:58 +0100.
<199811041143.MAA23357@romulus>
For those of you using Digital Unix, here's what I've found so far
about the dtappgather bug...
The patch in 4.0D patch kit 2 fixes the part of the bug that changes
the ownership of any file to the user running dtappgather, but it does
*NOT* fix the part that changes the protection on the file. For
example, when I tried it using /etc/passwd as the target, the owner
stayed the same but the protection changed from 644 to 555. This is
still a problem, in that you can get read access to any file on the
system.
I checked patch kit 8 for 4.0B, and it behaves the same as the patched 4.0D
dtappgather.
I still suggest turning off the suid bit on dtappgather until we
get a fix from Digital. I have reported this to Digital.
Mike Iglesias Internet: iglesias@draco.acs.uci.edu
University of California, Irvine phone: 949-824-6926
Office of Academic Computing FAX: 949-824-2069
