Patch-ID# 100630-01
Keywords: security, login international, su, LD_ environment variables
Synopsis: SunOS 4.x: environment variables can be used to exploit login/su
Date: 18/May/92

SunOS release: SunOS 4.1;4.1.1;4.1.2

Unbundled Product: 

Unbundled Release: 

Topic: security, login and su exploitable via LD_ environment variables

BugId's fixed with this patch: 1085851

Architectures for which this patch is available: sun3, sun4

Patches which may conflict with this patch: 

Obsoleted by: 

Files included with this patch: login, su, su.5bin

Problem Description: a dynamically-linked program that is forked by
a setuid program has access to the callers environmental variables if
the setuid program sets the real UID equal to the effective UID and
the real GID equal to the effective GID before the dynamically-linked
program is forked.

Note that this patch contains the international version of /bin/login
that users who are not using the US Encryption Kit need to install.
Patch 100631-01 contains the domestic version of /bin/login. /usr/bin/su
and /usr/5bin/su from this international patch are suitable for
sites that use the US Encryption Kit.

Install Instructions: 

Perform all commands as root.  It is strongly recommended that the install
be performed in single user mode if user logins are possible during the
execution of these commands.

Make a copy of the old files:
mv /bin/login /bin/login.FCS
mv /usr/bin/su /usr/bin/su.FCS
mv /usr/5bin/su /usr/5bin/su.FCS

Change permissions on old files so they can't be executed:
chmod 0400 /bin/login.FCS /usr/bin/su.FCS /usr/5bin/su.FCS

Install the patched files:
cp `arch`/login /bin/login
cp `arch`/su /usr/bin/su
cp `arch`/su.5bin /usr/5bin/su

Change the owner and file permissions of the new files:
chown root.staff /bin/login /usr/bin/su /usr/5bin/su
chmod 4755 /bin/login /usr/bin/su /usr/5bin/su