From owner-freebsd-security  Sun Nov 17 07:51:42 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA06960
          for security-outgoing; Sun, 17 Nov 1996 07:51:42 -0800 (PST)
Received: from ns1.zns.net (ns1.zygaena.com [206.148.80.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA06955
          for <freebsd-security@freebsd.org>; Sun, 17 Nov 1996 07:51:22 -0800 (PST)
Received: (from nobody@localhost) by ns1.zns.net (8.7.5/8.7.3) id KAA20979 for <freebsd-security@freebsd.org>; Sun, 17 Nov 1996 10:51:19 -0500 (EST)
Received: from selway.i.com(198.30.169.1) by ns1.zns.net via smap (V1.3)
	id sma020977; Sun Nov 17 10:51:08 1996
Received: (from ewb@localhost) by selway.i.com (8.7.3/8.7.3) id KAA09581 for freebsd-security@freebsd.org; Sun, 17 Nov 1996 10:51:03 -0500 (EST)
Date: Sun, 17 Nov 1996 10:51:03 -0500 (EST)
From: Will Brown <ewb@zns.net>
Message-Id: <199611171551.KAA09581@selway.i.com>
To: freebsd-security@freebsd.org
Subject: Re: BoS: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2).
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

FYI: The exploit fails on Solaris 2.5. Works on FreeBSD 2.1.5.  On
Solaris, /tmp/sh is created (r-sr-sr--) but executing it does not give
root privilege. Assume this is due to restrictions in Solaris on
executing setuid root programs outside of certain directories? Perhaps
that defense can be easily overcome, or is it a good last line of
defense? Why not a similar defense in FreeBSD?

My apologies if this has been hashed over already.

Obviously not good in any case.

--
Will Brown