Novell security advisory on sadc, urestore and the suid_exec feature

Marcel-Franck Simon (
Fri, 9 Dec 1994 14:55 EST

I am posting this on behalf of Novell Technical Support. Please contact
them directly if you have any questions; if you must reply to me, I
will forward.


Recently, there were three security advisories posted on the
"net" associated with several versions of the Unix Operating System.
These advisories are related to the following:

	/usr/lib/sa/sadc	The command is sgid-on-exec to "sys"

	/usr/sbin/urestore	The command is suid-on-exec to "root"

	suid_exec feature	This pertains to "ksh".

One of the operating system versions affected was the UnixWare 1.1
product distributed by Novell, Inc.  Listed below are the results of
the investigation that took place concerning the affected binaries:

	With respect to the "sadc" problem, the "sadc" binary in the
	UnixWare 1.1 product has been modified such that it no longer
	poses a security threat.
	This modification is provided as PTF683 and is available from
	Novell Technical Support at (800) 486-4835.
	With respect to the "urestore" problem, this requires an attribute
	modification to remove the suid-on-exec bit.  The functionality of
	"urestore" should remain unchanged.  This modification is also
	included in PTF683.
	The last advisory, suid_exec for ksh, does not apply to the version
	of "ksh" supplied with the UnixWare 1.1 product.
	This advisory relates to a feature in "ksh" that allows for the
	execution of suid-on-exec shell scripts.  Since the UnixWare 1.1
	product provides this capability in the exec(2) system call in
	the kernel, the UnixWare 1.1 product does not need to set that
	DEFINE value when compiling "ksh" to achieve this capability and
	hasn't since SVR4.0.

Novell, Inc. has sent source fixes to all SVR4.0, SVR4.2, and SVR4.2MP
OEM customers for both the "sadc" and "urestore" advisories.  These vendors
should be making them available to licensees of their SVR4.X-based operating
systems.  If you are using any of the versions mentioned above, you should
contact the appropriate vendor to obtain their official update.