Re: IRIX: Bug in startmidi

[volobuev () T1 CHEM UMN EDU (Yuri Volobuev)]

> Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I
> noticed a little suid-root program called 'startmidi' which hides in
> /usr/sbin. When run, this program creates various files in /tmp. You
> guessed it, it respects umask and follows symlinks. Comme ca:
>
> % umask 0
> % ln -s /blardyblar /tmp/.midipid
> % startmidi -d /dev/ttyd1
> % ls -l /blardyblar
> -rw-rw-rw-    1 root     pgrad          0 Feb  9 17:46 /blardyblar
> % stopmidi -d /dev/ttyd1

eh... that's strange.  I was looking at startmidi a while back, but didn't
find any root holes.  Now I look again, still nothing.  Indeed, on my 5.3
box it creates couple of files in /tmp with known names, but it calls
setreuid(-1,userid) right after the startup, so files are owned by the
caller.  Of course, it's still bad, because caller's files can be
overwritten, and if you can trick root into calling it... But if you go
there, there are already too few programs running as root (not suid, I mean
cronjobs and such) that do this already.  I was going to make a summary of
dangerous cronjobs, but then got busy with something else.  Run crontab -l
as root to get an impression :).

You must have some special configuration, I recon.  On the box I was testing
on

showfiles | grep startmidi
f 64563 18688 dmedia_eoe.sw.midi usr/sbin/startmidi

It's Irix 5.3 with all security patches applied, plus DSE 1.1.

Still, chmodding-s away startmidi is a good idea. Why should users be able
to screw around with MIDI, anyway?

cheers,

yuri
Always speaking for myself and only for myself.