[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-Disclosure] AIX 4.3.3 has make sgid 0?

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: [Full-Disclosure] AIX 4.3.3 has make sgid 0?
From: BoneMachine <bonemach@xxxxxxxxxxxxxxxx>
Date: Mon, 22 Mar 2004 15:16:15 GMT

Hello
I was browsing the SecurityFocus vulnerability database and found the following:
http://www.securityfocus.com/bid/9903
"Because the make utility is reported to run with setGID root privileges, a 
local attacker may potentially exploit this condition to gain access to the 
root group"

Is this true ? I cannot believe that IBM has an setGID root-bit on the make 
utillity. This goes against all security practices I've ever heard.
Are there people that have more info on this vulnerability or is this a hoax?

greetings
Bone Machine

---
"I'm the king of airodynamics" - The Pixies
---

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] AIX 4.3.3 has make sgid 0?
  - From: Valdis . Kletnieks
- Re: [Full-Disclosure] AIX 4.3.3 has make sgid 0?
  - From: Darren Tucker

Prev by Date: Re: [Full-Disclosure] Credibility (was User Insecurity)
Next by Date: Re: [Full-Disclosure] Operating Systems Security, "Microsoft Security, baby steps"
Previous by thread: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1527 - 10 msgs
Next by thread: Re: [Full-Disclosure] AIX 4.3.3 has make sgid 0?
Index(es):
- Date
- Thread