getting vendors to fix security bugs
Guy Harris
guy at auspex.auspex.com
Thu Feb 21 08:45:35 AEST 1991
>Speaking of which I wonder when they'll get around to fixing or disabling
>suid scripts. Anybody have the very latest release of SunOS and able to
>verify whether the bug's still there?
SunOS 4.1 still allows set-UID shell scripts, and doesn't close the
*current* most-infamous security hole. Unfortunately, I don't think its
existence is documented; were it documented, I wouldn't see any need to
disable suid scripts, as I suspect most users can somehow summon enough
self-discipline not to use set-UID shell scripts, even if their system
allows them, if the security risk is greater than the benefits.
S5R4 should close the *particular* hole mentioned above by using
"/dev/fd/N" (although there may well be others lurking), so SunOS/S5R4
should as well.
More information about the Comp.unix.wizards
mailing list