Home page logo

fulldisclosure logo Full Disclosure mailing list archives

AIX 4.3.3 has make sgid 0?
From: BoneMachine <bonemach () sdf lonestar org>
Date: Mon, 22 Mar 2004 15:16:15 GMT

I was browsing the SecurityFocus vulnerability database and found the following:
"Because the make utility is reported to run with setGID root privileges, a local attacker may potentially exploit this 
condition to gain access to the root group"

Is this true ? I cannot believe that IBM has an setGID root-bit on the make utillity. This goes against all security 
practices I've ever heard.
Are there people that have more info on this vulnerability or is this a hoax?

Bone Machine

"I'm the king of airodynamics" - The Pixies

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]