mailing list archives
Re: IRIX: Bug in startmidi
From: volobuev () T1 CHEM UMN EDU (Yuri Volobuev)
Date: Sun, 9 Feb 1997 21:20:36 -0600
Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I
noticed a little suid-root program called 'startmidi' which hides in
/usr/sbin. When run, this program creates various files in /tmp. You
guessed it, it respects umask and follows symlinks. Comme ca:
% umask 0
% ln -s /blardyblar /tmp/.midipid
% startmidi -d /dev/ttyd1
% ls -l /blardyblar
-rw-rw-rw- 1 root pgrad 0 Feb 9 17:46 /blardyblar
% stopmidi -d /dev/ttyd1
eh... that's strange. I was looking at startmidi a while back, but didn't
find any root holes. Now I look again, still nothing. Indeed, on my 5.3
box it creates couple of files in /tmp with known names, but it calls
setreuid(-1,userid) right after the startup, so files are owned by the
caller. Of course, it's still bad, because caller's files can be
overwritten, and if you can trick root into calling it... But if you go
there, there are already too few programs running as root (not suid, I mean
cronjobs and such) that do this already. I was going to make a summary of
dangerous cronjobs, but then got busy with something else. Run crontab -l
as root to get an impression :).
You must have some special configuration, I recon. On the box I was testing
showfiles | grep startmidi
f 64563 18688 dmedia_eoe.sw.midi usr/sbin/startmidi
It's Irix 5.3 with all security patches applied, plus DSE 1.1.
Still, chmodding-s away startmidi is a good idea. Why should users be able
to screw around with MIDI, anyway?
Always speaking for myself and only for myself.
Re: IRIX: Bug in startmidi Yuri Volobuev (Feb 10)
Re: IRIX: Bug in startmidi Jon Lewis (Feb 10)