A security hole

Doug Gwyn gwyn at brl-smoke.ARPA
Tue Apr 12 22:22:19 AEST 1988


In article <1458 at runx.ips.oz> avenger at runx.ips.oz (Troy Rollo ) writes:
>The program then creates a new file on another directory under your
>uid and gid with the mode 6777 (setuid, setgid, rwx for all).
>Later another program can be copied over it. Alternatively that
>program can be placed in the file by the bogus rnews.

The "alternative" has to be used, since writing a file normally
clears the set-?ID bits, at least on reasonable implementations
of UNIX.  (The exception is when UID 0 does this, but "news"
should not be UID 0.)



More information about the Comp.bugs.sys5 mailing list