dls@j.cc.purdue.edu (David L. Stevens) (10/21/86)
Index: /usr/src/ucb/rdist/server.c 4.3BSD Description: rdist doesn't propagate sticky bits. Repeat-By: touch /tmp/hose;chmod 1751 /tmp/hose;rdist -c /tmp/hose <machine> Fix: The fix is simply to set the mask of bits which require a chmod() to include the sticky bit, as well as the setuid and setgid bits. Diffs follow. *** OLD server.c Tue Oct 21 09:15:06 1986 --- server.c Tue Oct 21 09:10:29 1986 *************** *** 1035,1041 if (userid) setreuid(userid, 0); if (chown(file, uid, gid) < 0 || ! (mode & 06000) && chmod(file, mode) < 0) { note("%s: chown or chmod failed: file %s: %s", host, file, sys_errlist[errno]); } --- 1035,1041 ----- if (userid) setreuid(userid, 0); if (chown(file, uid, gid) < 0 || ! (mode & 07000) && chmod(file, mode) < 0) { note("%s: chown or chmod failed: file %s: %s", host, file, sys_errlist[errno]); } -- +-DLS (dls@j.cc.purdue.edu)
lepreau@utah-cs.UUCP (Jay Lepreau) (10/30/86)
There is a minor security problem with the recommended fix to allow rdist to propagate sticky bits: normally only root is allowed to set the sticky bit. But with the proposed fix, if a user has a machine on which he has root privileges, and then rdist's (as himself) a file to a machine on which he does not have root privs, he can introduce binaries with the sticky bit set. No big deal, but here's a better way to fix rdist/server.c: 1038c1038,1039 < (mode & 06000) && chmod(file, mode) < 0) { --- > (mode & (06000 | (userid ? 0 : S_ISVTX))) && > chmod(file, mode) < 0) {