Bugtraq mailing list archives

Re: IRIX /var/inst/patchbase

From: renauda () SGI COM (Alain Renaud)
Date: Sat, 25 Oct 1997 09:28:07 -0400


The patchbase directory is always 700 the only way to change that is to
do it by hand. So I don't see this as a major issue... the reason the
patchbase directory exist is to be able to remove a patch after it's been
install. if you fell there is an issue you can always do

cd /var/inst/patchbase
rm -rf .

This will only prevent you from removing the patch you installed....


Hope this help.
____________________________________________________________________
Alain Renaud                    renauda () sgi com
Region Technical Analyst        Silicon Graphics Cray Research Inc.

     "Have a nice day! ... Unless you have other plans ...."
____________________________________________________________________


On Thu, 23 Oct 1997, Paul Tatarsky wrote:

I checked to see if this had been brought up before on Bugtraq, if it
has been, I apologize. Didn't see it in the archive.

Has anyone ever noticed that the IRIX inst patch installs hide away
a copy of the patched binary in /var/inst/patchbase?

While fine I guess for some things where a rollback might be needed, I
also noticed that the various setuid buffer overrun binaries that we
patched are saved away with the setuid bits retained.

For example (as root):

cd /var/inst/patchbase/usr/bsd
ls -al ordist
-rwsr-xr-x    1 root     sys        79208 Sep  1 15:42 ordist*

Now, while so far I haven't found /var/inst/patchbase directory
permissions set to anything but root owner, mode 700, I wonder if that
is just thanks to the umask when the inst program is first run? Does
anyone have a world/group readable /var/inst/patchbase?  Because if
you do, you could still have a problem.

We are now considering adding this step to adding a patch that is for
setuid buffer overflow style problems in IRIX.

       versions removehist patchSGxxxxxxx

That cleans up the stored patchbase items according to the README's.
I don't know if that creates any other problems in installing future
patches. Of course you could always remove the setuid bit as well.

I'd be curious if other vendors store away patched binaries setuid
like that. Doesn't seem like a real good idea.

--------------------------------------------------------------------
Paul Tatarsky                            paul () cse ucsc edu
UC Santa Cruz
CE/CIS Systems Manager
--------------------------------------------------------------------

Current thread:

Remotely kill Solaris syslogd lb - STAFF (Oct 21)
- Re: Remotely kill Solaris syslogd Andrew Reynhout (Oct 21)
- Oops: Re: Remotely kill Solaris syslogd Andrew Reynhout (Oct 21)
- Responses to syslogd killing lb (Oct 21)
  - Re: Responses to syslogd killing Zack Weinberg (Oct 21)
- <Possible follow-ups>
- Re: remotely kill solaris syslogd Chris Wilson (Oct 21)
  - Re: remotely kill solaris syslogd Paul Tatarsky (Oct 23)
  - IRIX /var/inst/patchbase Paul Tatarsky (Oct 23)
    - Re: IRIX /var/inst/patchbase Alain Renaud (Oct 25)
    - KSR[T] Advisory #004: printfilter / groff / lpd KSR[T] (Oct 25)