Re: SunOS syslog() fix, finally...

[casper () holland Sun COM (Casper Dik)]

> If you are a BOFH then just kill the setuid bit on ufsrestore.  It
> means that root has to do the restores but it does close an awful lot
> of holes (like someone dragging in a QIC and restoring their favourite
> version of /etc/passwd.... need I say more?).  Or you could just
> remove the global rx though this may bugger up remote root users.

The set-uid bit can be safely removed from restore.

It is required only if normal users need to be able to restore stuff from
remote tape devices (using the rmt protcol which is based on rcmd(3)).

It is not true that the set-uid bit on restore is a security risk
in that ordinary users can restore files anywhere on the systems or
to be owned as another user.  Restore resets the uid to the uid
of the invoking user before writing files.

It was possible in early versions of SunOS (4.0, fixed in 4.1) to restore
a set-uid root shell as ordinary user.

It was a gaping security hole as you don't need to bring a tape, just a
file in dump format with a set-uid root shell would be enough.  You can
easily create such a file when you know the dump format or on a system
you do have root access to.

Casper