Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: using Solaris pax to get files mode 777
From: lavrenko () MCST RU (Victor Lavrenko)
Date: Tue, 6 Oct 1998 14:54:32 +0400


"Hubert" == Hubert Feyrer <feyrer () RFHS8012 FH-REGENSBURG DE> writes:

    Hubert> Hi, I've discovered a bug in Solaris 2.5 and 2.6's pax
    Hubert> (probably others) that might be exploited somehow - at

$ ls -l $(which pax)
-r-xr-xr-x   1 bin      bin        56908 Oct 25  1995 /usr/bin/pax

$ man pax
[skip]
     In read or  copy  modes,  if  intermediate  directories  are
     necessary  to  extract  an  archive member, pax will perform
     actions equivalent to the mkdir(2) function, called with the
     following arguments:

          o the intermediate directory used as the path argument

          o the octal value of 777 or rwx (read, write, and  exe-
            cute   permissions)   as   the   mode  argument  (see
            chmod(1)).
[skip]

So, pax is not root setuid and such behavior is specified in
manual. If you are running utilities under root and don't read manuals,
your system will be full of security holes. "rm -rf /" is the example
of such exploit. If you don't know what "rm" does, you may think that
it has security holes. But it doesn't, IMHO.

--
Victor Lavrenko
   Homepage:        http://www.lavrenko.pp.ru/
   E-mail:          lavrenko () mcst ru  lavrenko () cs msu su
   Fingerprint:     35 D0 98 8D 96 E5 F4 BA  59 FB 9D 29 92 26 F5 59



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]