dls@j.cc.purdue.edu (David L. Stevens) (10/21/86)
Index: /usr/src/ucb/rdist/server.c 4.3BSD
Description:
rdist doesn't propagate sticky bits.
Repeat-By:
touch /tmp/hose;chmod 1751 /tmp/hose;rdist -c /tmp/hose <machine>
Fix:
The fix is simply to set the mask of bits which require a chmod()
to include the sticky bit, as well as the setuid and setgid bits.
Diffs follow.
*** OLD server.c Tue Oct 21 09:15:06 1986
--- server.c Tue Oct 21 09:10:29 1986
***************
*** 1035,1041
if (userid)
setreuid(userid, 0);
if (chown(file, uid, gid) < 0 ||
! (mode & 06000) && chmod(file, mode) < 0) {
note("%s: chown or chmod failed: file %s: %s",
host, file, sys_errlist[errno]);
}
--- 1035,1041 -----
if (userid)
setreuid(userid, 0);
if (chown(file, uid, gid) < 0 ||
! (mode & 07000) && chmod(file, mode) < 0) {
note("%s: chown or chmod failed: file %s: %s",
host, file, sys_errlist[errno]);
}
--
+-DLS (dls@j.cc.purdue.edu)lepreau@utah-cs.UUCP (Jay Lepreau) (10/30/86)
There is a minor security problem with the recommended fix to allow
rdist to propagate sticky bits: normally only root is allowed to set the
sticky bit. But with the proposed fix, if a user has a machine on which
he has root privileges, and then rdist's (as himself) a file to a
machine on which he does not have root privs, he can introduce binaries
with the sticky bit set. No big deal, but here's a better way to fix
rdist/server.c:
1038c1038,1039
< (mode & 06000) && chmod(file, mode) < 0) {
---
> (mode & (06000 | (userid ? 0 : S_ISVTX))) &&
> chmod(file, mode) < 0) {