On Mon, 22 Mar 2004 15:16:15 GMT, BoneMachine <[EMAIL PROTECTED]> said: > Hello > I was browsing the SecurityFocus vulnerability database and found the following: > http://www.securityfocus.com/bid/9903 > "Because the make utility is reported to run with setGID root privileges, a local > attacker may potentially exploit this condition to gain access to the root group" > > Is this true ? I cannot believe that IBM has an setGID root-bit on the make > utillity. This goes against all security practices I've ever heard.
Looks like a crock to me. We still have one AIX 4.3.3 box left around:
[~]1 uname
AIX
[~]1 oslevel
4.3.3.0
[~]1 ls -l /bin/make
lrwxrwxrwx 1 bin bin 17 Feb 12 2003 /bin/make -> /usr/ccs/bin/make
[~]1 ls -lL /bin/make
-r-xr-xr-x 1 bin bin 90234 Jul 18 2001 /bin/make
[~]1 lslpp -L bos.adt.base
Fileset Level State Description
----------------------------------------------------------------------------
bos.adt.base 4.3.3.77 C Base Application Development
Toolkit
So if it was ever sgid 0, IBM fixed that sometime before July 2001.
pgp00000.pgp
Description: PGP signature
