Re: digital unix 4.0 hole

[szabo_p () MATHS SU OZ AU (Paul Szabo)]

[I sent this to bugtraq on 17 Nov, but maybe the moderator misplaced it...]

There are currently two threads of creating root-owned core files on dUNIX
machines. Tom Leffingwell <tom () sba miami edu> wrote:
> setenv DISPLAY abcdefghi
> /usr/bin/X11/xterm
and John McDonald <jmcdonal () OSPREY UNF EDU> suggested:
> If you run dbx (tested on 3.11.10) on a setuid root program ...

To avoid the problem of core file creation, Johan Danielsson
<joda () PDC KTH SE> said to patch /vmunix:
> # cp /vmunix /vmunix.save
> # dbx /vmunix
> (dbx) ((unsigned*)core+82)/1 i
>   [core:5261, 0xfffffc000026ff48]       and     r1, r2, r1
> (dbx) patch *((unsigned*)core+82) = 0x203f0001
>   [core:5261, 0xfffffc000026ff48]       lda     r1, 1(r31)
> (dbx) q
> # reboot

A colleague of mine suggests that, since /sbin/rc3.d starts anything a
user's process could be a descendant of, a simpler method might be to insert
one line into /sbin/rc3 :

ulimit -h -c 0

This solution seems to work for me (passed my limited testing).

Paul Szabo - System Manager   //        School of Mathematics and Statistics
psz () maths usyd edu au         //   University of Sydney, NSW 2006, Australia