Re: regarding the (ex)preserve holes

[wam () cs purdue edu (William McVey)]

Matthew Harding wrote:
> How does one go about determining the dangerousness of the (ex)preserve
> holes? I notice on my SunOS 4.1.x systems that both expreserve and 
> exrecover are suid root, but I assume that the latest versions of either
> the editors or the OS ignore this when playing with the IFS variables.
> Please tell me this is a correct assumption! I'm not sure if our
> friends at 8lgm etc. have a script for this, but I'm curious as to the
> ongoing danger of these holes.

I know that the unpatched Sun 4.1.? version of expreserve also suffered
from a race condition where you could trick it into writing it's
tempfile onto a symlink to a root owned file.  The patch number is
101579-01 (It's on the Solaris 1.1.1 Recommended Patches list.)

Some of the free UNIX OSs (FreeBSD and NetBSD) as recently as like a 
year ago still had a setuid expreserve that called system(3) to 
send notification mail.  (They have since switched to nvi, which 
has a far superior method of handling editor preserves).

 -- William McVey
    Instructional Labs Administrator
    Purdue Universtiy CS Dept.