On Mon, 22 Mar 2004 15:16:15 GMT, BoneMachine <bonemach@xxxxxxxxxxxxxxxx> said:
> Hello
> I was browsing the SecurityFocus vulnerability database and found the
> following:
> http://www.securityfocus.com/bid/9903
> "Because the make utility is reported to run with setGID root privileges, a
> local attacker may potentially exploit this condition to gain access to the
> root group"
>
> Is this true ? I cannot believe that IBM has an setGID root-bit on the make
> utillity. This goes against all security practices I've ever heard.
Looks like a crock to me. We still have one AIX 4.3.3 box left around:
[~]1 uname
AIX
[~]1 oslevel
4.3.3.0
[~]1 ls -l /bin/make
lrwxrwxrwx 1 bin bin 17 Feb 12 2003 /bin/make ->
/usr/ccs/bin/make
[~]1 ls -lL /bin/make
-r-xr-xr-x 1 bin bin 90234 Jul 18 2001 /bin/make
[~]1 lslpp -L bos.adt.base
Fileset Level State Description
----------------------------------------------------------------------------
bos.adt.base 4.3.3.77 C Base Application Development
Toolkit
So if it was ever sgid 0, IBM fixed that sometime before July 2001.
Attachment:
pgp00093.pgp
Description: PGP signature