mailing list archives
Re: HP UX Bug :)
From: brian () FIREHOUSE NET (Brian Mitchell)
Date: Tue, 2 Sep 1997 03:29:03 -0400
On Mon, 1 Sep 1997, Leonid S Knyshov wrote:
However, it wipes out the target file. A symlink to /etc/passwd comes to
the file would retain permissions. permissions are set on create, it
probably is simply truncating the file.
But, since it follows the umask, it might be possible to replace binaries
executed by system...
In any event, a very dangerous condition...
Indeed. .forward/.rhosts is the most obvious attack.
I do not have the access to source code, so I can't think of a patch.
Probably replace getenv with getuid or something like that.
It's kinda lame, but:
remove the s bit from the program, write a c program that clears the
environment and exports those variables it needs (setting the user via
getpwuid() or somesuch) then executes the program (while euid=0,