From owner-freebsd-security Fri May 17 13:24:56 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id NAA15929 for security-outgoing; Fri, 17 May 1996 13:24:56 -0700 (PDT) Received: from precipice.shockwave.com (precipice.shockwave.com [171.69.108.33]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id NAA15920; Fri, 17 May 1996 13:24:51 -0700 (PDT) Received: from shockwave.com (localhost.shockwave.com [127.0.0.1]) by precipice.shockwave.com (8.7.5/8.7.3) with ESMTP id NAA01405; Fri, 17 May 1996 13:23:16 -0700 (PDT) Message-Id: <199605172023.NAA01405@precipice.shockwave.com> To: Glen Foster cc: jkh@time.cdrom.com, davidg@Root.COM, jkh@freefall.freebsd.org, committers@freefall.freebsd.org, security@FreeBSD.org Subject: Re: cvs commit: src/sbin Makefile In-reply-to: Your message of "Fri, 17 May 1996 15:48:25 EDT." <199605171948.PAA00619@ptavv.nsta.org> Date: Fri, 17 May 1996 13:23:16 -0700 From: Paul Traina Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk There are two separate problems. One is the crash, which can only be solved via removing setuid (until we fix it), the other is the symlink attack, which has been fixed properly. Two separate security bulletins will be released shortly on this problem to freebsd-security-notifications@freebsd.org. From: Glen Foster Subject: Re: cvs commit: src/sbin Makefile How about rather than changing the Makefile to not install suid, the full path of modload be referenced in the source. Preserves the suid functionality and defeats the symlink attack. --- Glen Foster