Path: utzoo!mnetor!uunet!husc6!cmcl2!brl-adm!brl-smoke!gwyn
From: gwyn@brl-smoke.ARPA (Doug Gwyn )
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <7659@brl-smoke.ARPA>
Date: 12 Apr 88 12:22:19 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP> <7521@ncoast.UUCP> <130@heart-of-gold> <4209@ihlpf.ATT.COM> <1458@runx.ips.oz>
Reply-To: gwyn@brl.arpa (Doug Gwyn (VLD/VMB) <gwyn>)
Organization: Ballistic Research Lab (BRL), APG, MD.
Lines: 10

In article <1458@runx.ips.oz> avenger@runx.ips.oz (Troy Rollo ) writes:
>The program then creates a new file on another directory under your
>uid and gid with the mode 6777 (setuid, setgid, rwx for all).
>Later another program can be copied over it. Alternatively that
>program can be placed in the file by the bogus rnews.

The "alternative" has to be used, since writing a file normally
clears the set-?ID bits, at least on reasonable implementations
of UNIX.  (The exception is when UID 0 does this, but "news"
should not be UID 0.)