Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84 SMI; site sun.uucp
Path: utzoo!watmath!clyde!burl!ulysses!allegra!mit-eddie!genrad!decvax!decwrl!sun!guy
From: guy@sun.uucp (Guy Harris)
Newsgroups: net.micro.att
Subject: Re: Sa package posted to net.sources and at security hole
Message-ID: <2736@sun.uucp>
Date: Fri, 30-Aug-85 21:17:16 EDT
Article-I.D.: sun.2736
Posted: Fri Aug 30 21:17:16 1985
Date-Received: Sun, 1-Sep-85 06:02:59 EDT
References: <638@astrovax.UUCP>
Distribution: net
Organization: Sun Microsystems, Inc.
Lines: 17

> There is a security problem with the at command I posted earlier:
> because the atrun program gets the uid and gid it should set things
> to from the file in /usr/spool/at, a user can use 'chown' to make
> a file he submitted be owned by anyone (i.e. root) and so executed
> with that uid!... The real problem is System V's 'chown' command
> (so those systems without it, ignore all this); can anyone think
> of some cleaner way?

"chown" system call, not command, actually.  Yes, there is a cleaner
solution, which is used by the System V "at" command (yes, it has one, but
if the PC 7300 doesn't have it I have no idea why; things like "cron" and
"at" are useful even on single-user machines).  Have "at" turn the set-UID
bit on for all scripts, and have "atrun" require that bit to be on.
"chown"s not done by the super-user cause the set-UID bit to be turned off
(obviously).

	Guy Harris