IRIX /var/inst/patchbase

Paul Tatarsky (paul@CSE.UCSC.EDU)
Thu, 23 Oct 1997 09:48:22 -0700

I checked to see if this had been brought up before on Bugtraq, if it
has been, I apologize. Didn't see it in the archive.

Has anyone ever noticed that the IRIX inst patch installs hide away
a copy of the patched binary in /var/inst/patchbase?

While fine I guess for some things where a rollback might be needed, I
also noticed that the various setuid buffer overrun binaries that we
patched are saved away with the setuid bits retained.

For example (as root):

cd /var/inst/patchbase/usr/bsd
ls -al ordist
-rwsr-xr-x 1 root sys 79208 Sep 1 15:42 ordist*

Now, while so far I haven't found /var/inst/patchbase directory
permissions set to anything but root owner, mode 700, I wonder if that
is just thanks to the umask when the inst program is first run? Does
anyone have a world/group readable /var/inst/patchbase? Because if
you do, you could still have a problem.

We are now considering adding this step to adding a patch that is for
setuid buffer overflow style problems in IRIX.

versions removehist patchSGxxxxxxx

That cleans up the stored patchbase items according to the README's.
I don't know if that creates any other problems in installing future
patches. Of course you could always remove the setuid bit as well.

I'd be curious if other vendors store away patched binaries setuid
like that. Doesn't seem like a real good idea.

--------------------------------------------------------------------
Paul Tatarsky paul@cse.ucsc.edu
UC Santa Cruz
CE/CIS Systems Manager
--------------------------------------------------------------------