From owner-freebsd-audit Thu Jul 4 5:15:43 2002 Delivered-To: freebsd-audit@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D235B37B400 for ; Thu, 4 Jul 2002 05:15:40 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 5A29B43E31 for ; Thu, 4 Jul 2002 05:15:39 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 52709 invoked by uid 85); 4 Jul 2002 12:28:08 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 4 Jul 2002 12:28:05 -0000 Received: (qmail 3746 invoked by uid 1000); 4 Jul 2002 12:14:13 -0000 Date: Thu, 4 Jul 2002 15:14:13 +0300 From: Peter Pentchev To: Tim Robbins Cc: Akinori MUSHA , audit@FreeBSD.ORG Subject: Re: suidperl Message-ID: <20020704121413.GB382@straylight.oblivion.bg> Mail-Followup-To: Tim Robbins , Akinori MUSHA , audit@FreeBSD.ORG References: <86sn2zpzmp.wl@daemon.musha.org> <20020704221031.A53275@dilbert.robbins.dropbear.id.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vkogqOf2sHV7VnPd" Content-Disposition: inline In-Reply-To: <20020704221031.A53275@dilbert.robbins.dropbear.id.au> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG --vkogqOf2sHV7VnPd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 04, 2002 at 10:10:31PM +1000, Tim Robbins wrote: > On Thu, Jul 04, 2002 at 07:15:58PM +0900, Akinori MUSHA wrote: >=20 > > Index: src/usr.bin/suidperl/Makefile > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > RCS file: src/usr.bin/suidperl/Makefile > > diff -N src/usr.bin/suidperl/Makefile > > --- /dev/null 1 Jan 1970 00:00:00 -0000 > > +++ src/usr.bin/suidperl/Makefile 4 Jul 2002 10:08:12 -0000 > > @@ -0,0 +1,15 @@ > > +# $FreeBSD$ > > + > > +.PATH: ${.CURDIR}/../perl > > + > > +PROG=3D suidperl > > +SRCS=3D perl.c > > +NOMAN=3D > > +WARNS?=3D 6 > > + > > +BINOWN=3D root > > +.if defined(ENABLE_SUIDPERL) > > +BINMODE=3D4555 > > +.endif >=20 > This is unsafe: >=20 > $ ln -s /bin/sh /tmp/perl > $ env PATH=3D/tmp:$PATH /usr/bin/perl > # id > uid=3D1001(tim) euid=3D0(root) gid=3D1001(tim) groups=3D1001(tim), 0(whee= l) Are you sure that you do not have suidperl still hardlinked to 'perl', exactly the hardlink that the first part of knu's patch removes? :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I had finished this sentence, --vkogqOf2sHV7VnPd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9JDwU7Ri2jRYZRVMRAsXPAKCf2t/KhMx1ksgl3bdDt3frUxOWpQCfZSdl hI4/MWrrRtmDYpS5oCux2Ds= =Gugd -----END PGP SIGNATURE----- --vkogqOf2sHV7VnPd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message