I originallly asked:
>I just got this e-mail from a friend. Does anybody "in the know" have
>a comment on Solaris' vulnerability to this problem?
>>>FYI: It was mentioned that Solaris has the same vulnerability
>>>(SCO, Solaris, and [shoot, one other]). Just thought you'd like
>>>to be aware of it, though you don't have to worry about users online..
And Casper Dik responded almost immediately...
>Solaris is not vulnerable to this problem, tehre's nothing at address 0 so
>you get a SIGSEGV instead.
>[ ... ]
>Obviously, *any* system which contain pt_chmod which has set-uid permissions
>is a gross overstatement:
> - on reasonable systems dereferencing NULL causes an error
> [ on Solaris chown returns EFAULT ]
> - on some systems pt_chmod bails out when ptsname() returns NULL
> (i.e., they fixed the bug)
>All in all, pt_chmod is a *much* better solution than making xterm, screen,
>splitvt, cmdtool, shelltool, etc set-uid root.
>>> * The values given in null_file work on our SCO 3.2v4 system. On some
>>> * systems the values may change from process to process. To find out the
>>> * correct values for your system, run /usr/lib/pt_chmod under your
>>> * debugger, and print the first few words from address 0 onwards, until
>>> * you hit a null byte.
>Which doesn't work in Solaris as there's nothing mapped there.
>(Adb will give you "data address not found")
-- Tom Mornini
-- PostScript Electronic Prepress
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:06 CDT