BEWARE: 10.3.9 breaks standard Unix functionality

[Bear]

From the 10.3.9 announcement email I just received, Apple removed some standard Unix functionality because it is a security threat:

Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to
privilege escalation.
Description: Mac OS X inherited the ability to run SUID/SGID scripts
from FreeBSD. Apple does not distribute any SUID/SGID scripts, but
the system would allow them to be installed or created. This update
removes the ability of Mac OS X to run SUID/SGID scripts. Credit to
Bruce Murphy of rattus.net and Justin Walker for reporting this
issue.

However, some shops may have written scripts that depend on that functionality being there.

What third party applications may have been broken because of this? What places that use Mac servers are not going to be able to update to 10.3.9 without issues because of this?

I know I had a few scripts set up that way.

 

[MisterMe]

From the 10.3.9 announcement email I just received, Apple removed some standard Unix functionality because it is a security threat:However, some shops may have written scripts that depend on that functionality being there.

What third party applications may have been broken because of this? What places that use Mac servers are not going to be able to update to 10.3.9 without issues because of this?

I know I had a few scripts set up that way.

If the flaws found in MacOS X (Darwin) also exist in other implementations of BSD, then the fixes to the flaws will also propagate to other implementations of BSD. This means that scripts that depend on these flawed functions will have to be changed irrespective of BSD implementation.

 

[Bear]

If the flaws found in MacOS X (Darwin) also exist in other implementations of BSD, then the fixes to the flaws will also propagate to other implementations of BSD. This means that scripts that depend on these flawed functions will have to be changed irrespective of BSD implementation.

Actually, I wdon't think I was stating whether it was a good or a bad fix. I was pointing it out so people didn't get bitten by it.

And it's not just BSD, every flavor of Unix (including Linux) has(had?) the SUID/SGID functionality. There are a lot of scripts in use that depend on this. And you know something, Unix has had this functionality for like forever and it hasn't been a big issue.

 

[Westside guy]

And it's not just BSD, every flavor of Unix (including Linux) has(had?) the SUID/SGID functionality.

Yes and it's often been the source of privilege escalation attacks. There was a well-known Perl suid issue about four years ago, and there were Apache suexec issues (a similar sort of thing) prior to that. I'm pretty sure Red Hat, and likely most other Linux vendors, now disables suid-like capabilities by default - you can always manually enable them if you need it.