Full Disclosure mailing list archives
Re: AIX 4.3.3 has make sgid 0?
From: Valdis.Kletnieks () vt edu
Date: Mon, 22 Mar 2004 13:08:08 -0500
On Mon, 22 Mar 2004 15:16:15 GMT, BoneMachine <bonemach () sdf lonestar org> said:
Hello I was browsing the SecurityFocus vulnerability database and found the following: http://www.securityfocus.com/bid/9903 "Because the make utility is reported to run with setGID root privileges, a local attacker may potentially exploit this condition to gain access to the root group" Is this true ? I cannot believe that IBM has an setGID root-bit on the make utillity. This goes against all security practices I've ever heard.
Looks like a crock to me. We still have one AIX 4.3.3 box left around: [~]1 uname AIX [~]1 oslevel 4.3.3.0 [~]1 ls -l /bin/make lrwxrwxrwx 1 bin bin 17 Feb 12 2003 /bin/make -> /usr/ccs/bin/make [~]1 ls -lL /bin/make -r-xr-xr-x 1 bin bin 90234 Jul 18 2001 /bin/make [~]1 lslpp -L bos.adt.base Fileset Level State Description ---------------------------------------------------------------------------- bos.adt.base 4.3.3.77 C Base Application Development Toolkit So if it was ever sgid 0, IBM fixed that sometime before July 2001.
Attachment:
_bin
Description:
Current thread:
- AIX 4.3.3 has make sgid 0? BoneMachine (Mar 22)
- Re: AIX 4.3.3 has make sgid 0? Valdis . Kletnieks (Mar 22)
- Re: AIX 4.3.3 has make sgid 0? Darren Tucker (Mar 23)
- Re: AIX 4.3.3 has make sgid 0? Sullivan . Danielj (Mar 23)