From owner-freebsd-security  Wed Dec 25 05:46:14 1996
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.4/8.8.4) id FAA11312
          for security-outgoing; Wed, 25 Dec 1996 05:46:14 -0800 (PST)
Received: from godzilla.zeta.org.au (godzilla.zeta.org.au [203.2.228.19])
          by freefall.freebsd.org (8.8.4/8.8.4) with ESMTP id FAA11286;
          Wed, 25 Dec 1996 05:45:59 -0800 (PST)
Received: (from bde@localhost) by godzilla.zeta.org.au (8.8.3/8.6.9) id AAA26072; Thu, 26 Dec 1996 00:45:28 +1100
Date: Thu, 26 Dec 1996 00:45:28 +1100
From: Bruce Evans <bde@zeta.org.au>
Message-Id: <199612251345.AAA26072@godzilla.zeta.org.au>
To: bugtraq@netspace.org, security-officer@freebsd.org, security@freebsd.org,
        steve@edmweb.com
Subject: Re: FALSE ALARM: Re: Another buggy root cron job
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>My face is very red. 
>
>>From /etc/weekly:
>echo /usr/libexec/locate.updatedb | nice -5 su -m nobody 2>&1 |\
>        fgrep -v 'Permission denied'
>
>It's run as nobody.

Indeed.

There's a similar potential hole in mkdep.  This hole is a bit larger
than the one for the race in mktemp().  No one runs `make depend' or
compiles things as root on public machines, right? ;-)

Bruce