Full Disclosure mailing list archives

AIX 4.3.3 has make sgid 0?

From: BoneMachine <bonemach () sdf lonestar org>
Date: Mon, 22 Mar 2004 15:16:15 GMT

Hello
I was browsing the SecurityFocus vulnerability database and found the following:
http://www.securityfocus.com/bid/9903
"Because the make utility is reported to run with setGID root privileges, a local attacker may potentially exploit this 
condition to gain access to the root group"

Is this true ? I cannot believe that IBM has an setGID root-bit on the make utillity. This goes against all security 
practices I've ever heard.
Are there people that have more info on this vulnerability or is this a hoax?

greetings
Bone Machine

---
"I'm the king of airodynamics" - The Pixies
---

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

AIX 4.3.3 has make sgid 0? BoneMachine (Mar 22)
- Re: AIX 4.3.3 has make sgid 0? Valdis . Kletnieks (Mar 22)
- Re: AIX 4.3.3 has make sgid 0? Darren Tucker (Mar 23)
  - Re: AIX 4.3.3 has make sgid 0? Sullivan . Danielj (Mar 23)