Bugtraq mailing list archives

Re: BSD coredumps follow symlinks

From: ronny () TMX COM AU (Ronny Cook)
Date: Mon, 6 Apr 1998 11:16:04 +1000

lpr will dump core if there is no symlink there. Maybe you failed to
install the patch correctly?


If I recall rightly, the first patch disabled the most obvious attacks, but
allowed a core dump for a setuid program across a symbolic link *if* the file
existed and had 600 permissions (and was owned by the appropriate user).

Unfortunately, certain sensitive files (such as /etc/master.passwd) fit
these conditions. Thus the later patch under 3.0, which disabled *any*
core dump across a symbolic link for *any* setuid program.

Nir's test was only for a nonexistent file, which the earlier patch handles
correctly. Unfortunately, in doing so it opens the other security hole
which was later patched under 3.0.

                ...Ronny
--
 Ronald Cook, Technical Manager - Message Handling Systems/The Message eXchange
 Email: ronny () tmx com au ----- Phone: +61-2-9550-4448 ---- Fax: +61-2-9519-2551

All opinions are my own and not those of TMX unless explicitly stated otherwise.

Current thread:

Re: AppleShare IP Mail Server, (continued)
- - - Re: AppleShare IP Mail Server David Luyer (Apr 07)
    - Re: AppleShare IP Mail Server James W. Abendschan (Apr 07)
- Geac ADVANCE library system security HOLE GAVRILIS DIMITR (Apr 02)
  - Re: Geac ADVANCE library system security HOLE Damian Kelly (Apr 03)
  - Announce : Nessus Alpha 1 Renaud Deraison (Apr 04)
  - mailrc and pine security holes Michal Zalewski (Apr 05)
  - ICQ Spoofer Seth McGann (Apr 05)
- Re: BSD coredumps follow symlinks Nir Soffer (Apr 02)
- Security hole in TMS/SMS standby (Apr 03)
- BSD coredumps follow symlinks Ronny Cook (Apr 02)
- Re: BSD coredumps follow symlinks Ronny Cook (Apr 05)
  - QuakeI server serious hole (yawn) Chris Evans (Apr 06)
  - The ICQ exploitation Center - www.wpi.edu/~smm/icq Seth McGann (Apr 06)
  - Re: BSD coredumps follow symlinks Ariel Biener (Apr 06)