COMMAND
pax
SYSTEMS AFFECTED
Solaris 2.5, 2.6 (others?)
PROBLEM
Hubert Feyrer found something that may represent vulnerability.
Solaris 2.5 and 2.6's pax (probably others) that might be
exploited somehow - at least it can open security holes if you
don't know about it. The problem is that - when copying a symlink
with pax - it sets the perissions of the file the symlink points
to mode 777. The file may be placed anywhere. Example:
rfhs8012# cd /tmp
rfhs8012# mkdir test
rfhs8012# cd test
rfhs8012# mkdir orig copy
rfhs8012# touch non-public-file
rfhs8012# ln -s `pwd`/non-public-file orig
rfhs8012# ls -laL orig
total 16
drwxr-xr-x 2 root other 117 Oct 5 11:05 .
drwxr-xr-x 4 root other 191 Oct 5 11:05 ..
-rw-r--r-- 1 root other 0 Oct 5 11:05 non-public-file
rfhs8012# find . -ls
18 4 drwxr-xr-x 4 root other 191 Oct 5 11:05 .
19 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./orig
23 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file
21 4 drwxr-xr-x 2 root other 69 Oct 5 11:04 ./copy
22 0 -rw-r--r-- 1 root other 0 Oct 5 11:05 ./non-public-file
rfhs8012# pax -rw -pe -v orig copy
copy/orig
copy/orig/non-public-file
rfhs8012# find . -ls
18 4 drwxr-xr-x 4 root other 191 Oct 5 11:05 .
19 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./orig
23 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./orig/non-public-file -> /tmp/test/non-public-file
21 4 drwxr-xr-x 3 root other 106 Oct 5 11:05 ./copy
24 4 drwxr-xr-x 2 root other 117 Oct 5 11:05 ./copy/orig
25 4 lrwxrwxrwx 1 root other 25 Oct 5 11:05 ./copy/orig/non-public-file -> /tmp/test/non-public-file
22 0 -rwxrwxrwx 1 root other 0 Oct 5 11:05 ./non-public-file
Et voila - the non-public-file is suddenly somewhat public(ally
writeable).
SOLUTION
pax is not root setuid and such behavior is specified in manual.
If you are running utilities under root and don't read manuals,
your system will be full of security holes. However, this command
may lead to unwanted so be warned.