Path: utzoo!utgpu!news-server.csri.toronto.edu!bonnie.concordia.ca!thunder.mcrcim.mcgill.edu!snorkelwacker.mit.edu!mintaka!olivea!uunet!auspex!guy
From: guy@auspex.auspex.com (Guy Harris)
Newsgroups: comp.unix.wizards
Subject: Re: getting vendors to fix security bugs
Message-ID: <6182@auspex.auspex.com>
Date: 20 Feb 91 21:45:35 GMT
References: <15236@smoke.brl.mil> <123382@uunet.UU.NET> <1991Feb20.004811.28521@convex.com>
Organization: Auspex Systems, Santa Clara
Lines: 14

>Speaking of which I wonder when they'll get around to fixing or disabling
>suid scripts.  Anybody have the very latest release of SunOS and able to
>verify whether the bug's still there?

SunOS 4.1 still allows set-UID shell scripts, and doesn't close the
*current* most-infamous security hole.  Unfortunately, I don't think its
existence is documented; were it documented, I wouldn't see any need to
disable suid scripts, as I suspect most users can somehow summon enough
self-discipline not to use set-UID shell scripts, even if their system
allows them, if the security risk is greater than the benefits.

S5R4 should close the *particular* hole mentioned above by using
"/dev/fd/N" (although there may well be others lurking), so SunOS/S5R4
should as well.