by redmail.netbsd.org with SMTP; 27 Aug 1999 14:47:17 -0000
	by xerxes.cs.colorado.edu (8.9.3/8.9.3) with ESMTP id IAA10338;
	Fri, 27 Aug 1999 08:46:37 -0600 (MDT)
Message-Id: <199908271446.IAA10338@xerxes.cs.colorado.edu>
To: Manuel Bouyer <bouyer@antioche.lip6.fr>
cc: tech-security@netbsd.org
Subject: Re: [secure@FREEBSD.LUBLIN.PL: FreeBSD (and other BSDs?) local root explot] 
In-reply-to: Your message of "Fri, 27 Aug 1999 16:38:03 +0200."
             <19990827163803.A483@antioche.lip6.fr> 
References: <19990827115805.A4542@antioche.lip6.fr> <19990827123116.A345@antioche.lip6.fr> <199908271422.IAA05497@xerxes.cs.colorado.edu> <19990827163803.A483@antioche.lip6.fr> 
Date: Fri, 27 Aug 1999 08:46:37 -0600
From: "Todd C. Miller" <Todd.Miller@courtesan.com>

In message <19990827163803.A483@antioche.lip6.fr>
	so spake Manuel Bouyer (bouyer):

> Yes it is. I suspect this has been disabled in OpenBSD. Maybe older versions
> of OpenBSD are vulnerable ?

Yes, coredump through symlink was disabled in OpenBSD on 1998/01/09.

> I've a patch which prevent symlinks from being followed if the owner of
> the symlink (or existing file) is not the same as the process.

I can't decide whether or not the owner check is useful or not.
I keep waffling back and forth :-)

I know the FreeBSD guys have been merging the changes I've made to the
OpenBSD fts.c.  It would be great if all of *BSD had the basically the
same fts.c

 - todd