I opted for #2, since it requires no changes to existing start/stop scripts.

 > 2.  Enforce the sticky bit on the var directory.  From Solaris' chmod(2)
 > manpage:
 >      If a directory is writable and has S_ISVTX (the sticky  bit)
 >      set,  files  within that directory can be removed or renamed
 >      only if one or more of the following is true (see  unlink(2)
 >      and rename(2)):
 >         o  the user owns the file
 >         o  the user owns the directory
 >         o  the file is writable by the user
 >         o  the user is a privileged user
 > (Privileged user means 'root'.)  We only need to enforce the sticky bit
 > if we start as root and are doing the requisite setuid().  My patch
 > already has a test for this.

Patch is attached, against the current release.  (diff -c, God bless
Solaris... heh)

Matt Behrens <[EMAIL PROTECTED]>
System Analyst, Baker Furniture


Reply via email to