> A.) BSDi doesn't give a damn that the euid!=ruid, so finding a setgid
> program with priviliges isn't neccesary.
It seems BSDI broke this in 3.0. BSD/OS 2.1 does not have this
problem as far as I can tell. Below is a quick workaround until BSDI
comes out with something. Apply the patch to kern/kern_sig.c. A real
fix would require setting the P_SUGID flag in the exec handler in
kern_exec.c.
> B.) BSDi _does_ however, check if the file exists, so it's quite
> impossible to overwrite files.
Not exactly. Try "ln -s /etc/master.passwd /tmp/lpr.core", for
example. :-0 It seems if the permissions are 0600 on the file you link
to it will overwrite the file.
Regards,
stacey@iserver.com
---snip--snip------------------------------------------------------------
*** kern_sig.c.orig Tue Oct 15 12:23:05 1996
--- kern_sig.c Fri Jun 20 16:26:08 1997
***************
*** 1198,1206 ****
* Don't dump if not root and the process has used set user or
* group privileges.
*/
! if (p->p_flag & P_SUGID &&
! (error = suser(p->p_ucred, &p->p_acflag)) != 0)
! return (error);
/* Don't dump if will exceed file size limit. */
if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=
--- 1198,1208 ----
* Don't dump if not root and the process has used set user or
* group privileges.
*/
! if ((p->p_flag & P_SUGID || p->p_cred->p_ruid != p->p_ucred->cr_uid) &&
! /*(error = suser(p->p_ucred, &p->p_acflag)) != 0)
! return (error);*/
! p->p_cred->p_ruid)
! return EPERM;
/* Don't dump if will exceed file size limit. */
if (ctob(UPAGES + vm->vm_dsize + vm->vm_ssize) >=