rosso@sco.COM (Ross Oliver) (04/26/89)
A method of breaking system security has been found in the program /usr/lib/ex3.7preserve, the program that saves files from crashed vi sessions. This executable is set-UID to root, and it is possible for a user to become root using this program. However, by changing file and directory permissions, it is possible to prevent security breaks. ex3.7preserve is set-UID to root because the directory where vi writes its buffers, /usr/preserve, is owned by root. This prevent users from modifying the saved files. However, any other unused UID will work as well. So, by changing the ownership of preserve program and the /usr/preserve directory to a unique non-root user ID, the security breach is effectively closed. A user will still be able to become the user that owns ex3.7preserve, but since that UID does not have root or any other special priviledges, the system remains secure. The following commands, when executed by the super user, will prevent a security breach: echo "viadmin:NOLOGIN:22:50:vi preserve owner:/:" >> /etc/passwd chown viadmin /usr/lib/ex3.7preserve chmod 4711 /usr/lib/ex3.7preserve chown viadmin /usr/preserve If UID 22 is already in use on your system, change "22" in the first command to use an unused UID. Note that this problem affects all versions of SCO XENIX, both 286- and 386-based. It has also been verified on other UNIX systems, and probably exists on any system where the vi preserve program is set-UID root. Ross Oliver Technical Support The Santa Cruz Operation, Inc.