Bugtraq mailing list archives

Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm]

From: henson () intranet csupomona edu (Paul B. Henson)
Date: Fri, 6 Dec 1996 09:49:38 -0800

chkperm is suid to bin and /usr/bin/ directory is owned by root
in Solaris 2.4 and above, that causes the error message and no .rhosts is
created/


chkperm is also sgid to bin:

-rwsr-sr-x   1 bin      bin         8452 Oct 25  1995 /usr/vmsys/bin/chkperm

and /usr/bin is writable by the bin group:

drwxrwxr-x   2 root     bin         8704 Nov 15 13:43 /usr/bin

So the root ownership of /usr/bin would not deny chkperm write privs.

From what I understand, this bug works on 2.4, but not 2.5+, so something

must have changed between the two, but I don't think it was the ownership
of the /usr/bin directory.


--
Paul Henson  |  System Administrator  |  Cal Poly Pomona  |  (909) 869-3781
pbhenson () csupomona edu | finger henson () brick dce csupomona edu for PGP key

Current thread:

Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Terrell Thacker (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 05)
- SGI Security Advisory 19961201-01-PX - Desktop searchbook Program SGI Security Coordinator (Dec 05)
- suid_exec problem clarification Yuri Volobuev (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Nikolai Matyushenko (Dec 06)
  - Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul B. Henson (Dec 06)
  - New INN security problems Chris Timmons (Dec 06)
  - suid_exec Javier Romeu (Dec 06)
- <Possible follow-ups>
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Kevin L Prigge (Dec 05)
- Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Paul Ashton (Dec 06)
  - Re: Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Casper Dik (Dec 06)