Bugtraq mailing list archives

Re: using Solaris pax to get files mode 777

From: lavrenko () MCST RU (Victor Lavrenko)
Date: Tue, 6 Oct 1998 14:54:32 +0400

"Hubert" == Hubert Feyrer <feyrer () RFHS8012 FH-REGENSBURG DE> writes:


    Hubert> Hi, I've discovered a bug in Solaris 2.5 and 2.6's pax
    Hubert> (probably others) that might be exploited somehow - at

$ ls -l $(which pax)
-r-xr-xr-x   1 bin      bin        56908 Oct 25  1995 /usr/bin/pax

$ man pax
[skip]
     In read or  copy  modes,  if  intermediate  directories  are
     necessary  to  extract  an  archive member, pax will perform
     actions equivalent to the mkdir(2) function, called with the
     following arguments:

          o the intermediate directory used as the path argument

          o the octal value of 777 or rwx (read, write, and  exe-
            cute   permissions)   as   the   mode  argument  (see
            chmod(1)).
[skip]

So, pax is not root setuid and such behavior is specified in
manual. If you are running utilities under root and don't read manuals,
your system will be full of security holes. "rm -rf /" is the example
of such exploit. If you don't know what "rm" does, you may think that
it has security holes. But it doesn't, IMHO.

--
Victor Lavrenko
   Homepage:        http://www.lavrenko.pp.ru/
   E-mail:          lavrenko () mcst ru  lavrenko () cs msu su
   Fingerprint:     35 D0 98 8D 96 E5 F4 BA  59 FB 9D 29 92 26 F5 59

Current thread:

using Solaris pax to get files mode 777 Hubert Feyrer (Oct 05)
- <Possible follow-ups>
- Re: using Solaris pax to get files mode 777 Victor Lavrenko (Oct 06)
  - Re: using Solaris pax to get files mode 777 Matthew Patton (Oct 11)
  - Annoying Solaris/CDE/NIS+ bug dbell (Oct 12)
    - Re: Annoying Solaris/CDE/NIS+ bug Jeff Horwitz (Oct 13)
  - CERT Advisory CA-98.12 - mountd Aleph One (Oct 12)