IRIX inpview hole

te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Irix: misc

[...]
1. /usr/lib/InPerson/inpview

inpview is part of InPerson desktop video conferencing package.  It's
root-owned/suid and is written in a classic SGI suid-programming style, 
i.e.
in the course of execution inpview, without dropping euid=0, starts 
program
ttsession, using system() and without bothering to use absolute path.  So
it's pretty much like suid shell sitting around, in case you forget root
password.  It does all kinds of other dangerous stuff as well, e.g.
predictable tmp files.

Obvious fix is to strip suid bit, which is most likely to break it.  I 
don't
know why it's necessary to be root to establish non-authentificated
connection between two machines, but I guess SGI guys know better.  If you
do need InPerson badly, consider restricting execution privileges to the
trusted group of users, or putting a standard wrapper around it, kind of 
what
AUSCERT usually supplies with their advisories.  Such a wrapper should 
reset
critical environment variables (PATH, HOME, LOGNAME, etc.), check command
line for unwanted characters (shell metacharacters, see sh(1) manpage),
checks command line and may be few environment variables for length.  It
doesn't protect you from all evils, notably nothing can be done about
tmp files, but it's better than nothing.