[snip]
>> BTW, since SUID shell scripts are diabled by default on every SGI, you must
>> have enabled them for your exploit to work.
>>
>> 1# systune | grep uid
>> nosuidshells = 1 (0x1)
>
> Wow, here's another bug. Apparently that flag does nothing at all:
>
>.remise.mcn,~ {1} # uname -a
>IRIX remise 6.2 03131015 IP22
>.remise.mcn,~ {2} # systune | grep uid
> nosuidshells = 1 (0x1)
>.remite.mcn,~ {3} # exit
>.remise.mcn,~ {9} > reg4root
># id
>uid=100(mcn) gid=20(user) euid=0(root)
>
>....
>
>reg4root is the exact exploit I posted late last week. It creates a setuid
>shell, and executes it. I guess the nosuidshells flag doesn't do anything?
>
Oh yes, it sure should be doing something... however, not the thing you
think it should be doing: it does NOT disable suid shells.
So what does it do? There is probably some info in the manpage of systune,
but as far as I can remember it should disable setuid _shellscripts_ and
_not_ setuid shells. For IRIX a shell is just a binary like any other
binary, so the setuid bit works like with any other program. As far the name
is concerned...
I guess 'nosuidshells' means 'NOSetUIDSHELLScripts'
$) Henri
Hardware, n.:
The parts of a computer system that can be kicked. - nn.
If God used E-mail, he'd use PGP. - myself