Re: IRIX /var/inst/patchbase

Alain Renaud (renauda@SGI.COM)
Sat, 25 Oct 1997 09:28:07 -0400

The patchbase directory is always 700 the only way to change that is to
do it by hand. So I don't see this as a major issue... the reason the
patchbase directory exist is to be able to remove a patch after it's been
install. if you fell there is an issue you can always do

cd /var/inst/patchbase
rm -rf .

This will only prevent you from removing the patch you installed....

Hope this help.
____________________________________________________________________
Alain Renaud renauda@sgi.com
Region Technical Analyst Silicon Graphics Cray Research Inc.

"Have a nice day! ... Unless you have other plans ...."
____________________________________________________________________

On Thu, 23 Oct 1997, Paul Tatarsky wrote:

> I checked to see if this had been brought up before on Bugtraq, if it
> has been, I apologize. Didn't see it in the archive.
>
> Has anyone ever noticed that the IRIX inst patch installs hide away
> a copy of the patched binary in /var/inst/patchbase?
>
> While fine I guess for some things where a rollback might be needed, I
> also noticed that the various setuid buffer overrun binaries that we
> patched are saved away with the setuid bits retained.
>
> For example (as root):
>
> cd /var/inst/patchbase/usr/bsd
> ls -al ordist
> -rwsr-xr-x 1 root sys 79208 Sep 1 15:42 ordist*
>
> Now, while so far I haven't found /var/inst/patchbase directory
> permissions set to anything but root owner, mode 700, I wonder if that
> is just thanks to the umask when the inst program is first run? Does
> anyone have a world/group readable /var/inst/patchbase? Because if
> you do, you could still have a problem.
>
> We are now considering adding this step to adding a patch that is for
> setuid buffer overflow style problems in IRIX.
>
> versions removehist patchSGxxxxxxx
>
> That cleans up the stored patchbase items according to the README's.
> I don't know if that creates any other problems in installing future
> patches. Of course you could always remove the setuid bit as well.
>
> I'd be curious if other vendors store away patched binaries setuid
> like that. Doesn't seem like a real good idea.
>
> --------------------------------------------------------------------
> Paul Tatarsky paul@cse.ucsc.edu
> UC Santa Cruz
> CE/CIS Systems Manager
> --------------------------------------------------------------------
>