Xref: utzoo comp.sources.d:2443 comp.unix.questions:8118
Path: utzoo!utgpu!water!watmath!clyde!att!alberta!obed!steve
From: obed!steve@alberta.UUCP (Stephen Samuel)
Newsgroups: comp.sources.d,comp.unix.questions
Subject: Re: compress and setting owner/group
Message-ID: <1439@pembina.UUCP>
Date: 11 Jul 88 06:46:00 GMT
References: <23718@teknowledge-vaxc.ARPA>
Organization: U. of Alberta: Biochemistry , Edmonton, AB
Lines: 20

From article <23718@teknowledge-vaxc.ARPA>, by mkhaw@teknowledge-vaxc.ARPA (Mike Khaw):
> the output file to match that of the input file.  4bsd's chown() allows
> only root to change the user; consequently on ultrix 2.2, the entire call
> .... Is compress safe to install as a setuid root program?

Generically, I'd say no, since, because compress can write to generic files,
it's a mistake to allow it to run setuid.  Consider the following for a
system where /tmp and /etc are on the same filesystem:

cd /tmp
cp /etc/passwd ./pw
vi pw
 
:x
compress pw
ln /etc/pw ./pw
compress -d pw.Z


result:  One broken system...