Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Large security hole in SGI IRIX 5.2

From: steve () cim mcgill ca (Steve Robbins)
Date: Fri, 10 Mar 1995 12:21:18 -0500 (EST)

On Tue, 7 Mar 1995, Software Test Account wrote:


On Fri, 3 Mar 1995, Christian A. Ratliff wrote:


On Thu, 2 Mar 1995 14:03:03 -0500 (EST)  Larry Glaze wrote:


[ ... there's a huge gaping idiotic bug in IRIX's 
  /usr/lib/desktop/permissions ... ]


  The hole comes from the authentication being at the _dirview_ (an SGI 
directory browser) level. You can only pull up 'permissions' when the menu 
item is not grayed out. If you run 'permissions' by hand, you eliminate 
that check and have root access to the permissions on an file.
  Turning the setuid/setgid bit off is a perfectly sensible solution to 
this problem, and it is beyond me why that wasn't the default permissions.



I attempted to verify this problem on one of our SGI IRIX 5.2 boxes and 
found that with or without the sgid/suid bits set and from dirview or 
from the command line -- the permissions routine prompts you for a name 
and password of a priveledged user. 


Yeah, but it changes the modes on the target file *BEFORE EVEN ASKING FOR
THE PASSWORD* (if you double click 'apply').  And it doesn't care if you
enter the wrong password! 

--
                Steve Robbins -- Consultant in Computerology
                         steve () cim mcgill ca
Previous By Date Next
Previous By Thread Next

Current thread: