> However, it wipes out the target file. A symlink to /etc/passwd comes to
> mind.
the file would retain permissions. permissions are set on create, it
probably is simply truncating the file.
>
> But, since it follows the umask, it might be possible to replace binaries
> executed by system...
See above.
>
> In any event, a very dangerous condition...
Indeed. .forward/.rhosts is the most obvious attack.
>
> I do not have the access to source code, so I can't think of a patch.
> Probably replace getenv with getuid or something like that.
It's kinda lame, but:
remove the s bit from the program, write a c program that clears the
environment and exports those variables it needs (setting the user via
getpwuid() or somesuch) then executes the program (while euid=0,
ruid=you).