From owner-freebsd-bugs Thu Jul 11 4:20:13 2002 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD5D937B400 for ; Thu, 11 Jul 2002 04:20:08 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7121643E65 for ; Thu, 11 Jul 2002 04:20:08 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g6BBK4JU090919 for ; Thu, 11 Jul 2002 04:20:04 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g6BBK4SQ090918; Thu, 11 Jul 2002 04:20:04 -0700 (PDT) Date: Thu, 11 Jul 2002 04:20:04 -0700 (PDT) Message-Id: <200207111120.g6BBK4SQ090918@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: "Artem 'Zazoobr' Ignatjev" Subject: Re: misc/39951: Sendmail 8.12.3 and `msgs' alias Reply-To: "Artem 'Zazoobr' Ignatjev" Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR misc/39951; it has been noted by GNATS. From: "Artem 'Zazoobr' Ignatjev" To: freebsd-bugs@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org Cc: Subject: Re: misc/39951: Sendmail 8.12.3 and `msgs' alias Date: Thu, 11 Jul 2002 15:09:02 +0400 (MSD) On Fri, Jun 28, 2002 at 05:20:01AM -0700, FreeBSD-gnats-submit@FreeBSD.org wrote: > Thank you very much for your problem report. > It has the internal identification `misc/39951'. > The individual assigned to look at your > report is: freebsd-bugs. > > >Category: misc > >Responsible: freebsd-bugs > >Synopsis: Sendmail 8.12.3 and `msgs' alias > >Arrival-Date: Fri Jun 28 05:20:01 PDT 2002 More digging lead me to following hack (msgs will now be suid, so if it can be exploited, that'll be one more hole): I've also noted, that first time BINMODE was set incorrect ( 4755 instead of 4555) ---- Begin patch ---- diff -U 3 -r usr.bin/msgs/Makefile usr.bin/msgs/Makefile --- usr.bin/msgs/Makefile Wed Jul 10 20:44:12 2002 +++ usr.bin/msgs/Makefile Wed Jul 10 20:41:08 2002 @@ -4,5 +4,6 @@ PROG= msgs DPADD= ${LIBTERMCAP} LDADD= -ltermcap +BINMODE= 4555 .include diff -U 3 -r usr.bin/msgs/msgs.c usr.bin/msgs/msgs.c --- usr.bin/msgs/msgs.c Wed Jul 10 20:40:12 2002 +++ usr.bin/msgs/msgs.c Wed Jul 10 20:41:21 2002 @@ -179,7 +179,7 @@ setlocale(LC_ALL, ""); time(&t); - setuid(uid = getuid()); + setuid(uid = geteuid()); ruptible = (signal(SIGINT, SIG_IGN) == SIG_DFL); if (ruptible) signal(SIGINT, SIG_DFL); ---- End patch ---- Directions: apply this standing in source tree root (shake well before using :-) ) Sinceherely yours, Artem 'Zazoobr' Ignatjev. --- Unix is like a wigwam: No windows, no gates and an apache inside. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message