brsmith@umn-cs.cs.umn.edu (Brian R. Smith) (02/07/90)
We just received our Dynix security update quickship, and as part of the instructions, it says to: [...] - 'cd /usr/ucb' - 'mv chfn chfn.ORIG' - 'mv chsh chsh.ORIG' - 'mv lpr lpr.ORIG' [...] - 'cd /usr/bin' - 'mv uuq uuq.ORIG' - 'cd /bin' - 'mv passwd passwd.ORIG' [...] This appears to be WRONG. If the security holes in these commands are due to their being set-uid root, this changes NOTHING. The commands are still there and still executable. The must be either removed, stripped of execute permissions, or, at the very least, stripped of the set-uid bit. Because I don't know the nature of the security holes in these commands, I can't be sure that all of these have that problem. I am 98% sure that /bin/passwd.ORIG will, though. The old and the new seem to be functionally identical, and the old /bin/passwd would not be affected by a name change (I checked the source), so it must have the same problems. If I am wrong, please tell me so. You're not going to find any *.ORIG files on my machine, though... Take care, -- Brian brsmith@umn-cs.cs.umn.edu University of Minnesota Department of Computer Science