File: README.grr 23 Sep 92 This is LHa for Unix, version 1.01u. This is an unofficially patched version (hence `u') of LHa 1.00, which was posted around 1 Apr 92 to fj.sources and reposted by me to alt.sources on 24 Apr 92. I also posted to alt.sources on 24 April an unofficial patch to allow the use of default .lzh extensions. Tom Kloos then sent me on 2 May a patch to extend the use of special permissions, restore the UID and GID, etc. (see below); Jean-Pierre Radley sent on 26 June a patch which sets default .lzh extensions much more elegantly and reliably than mine (also see below). Finally, I fixed bugs in Tom's chown() patch and in util.c (the latter causing compilation errors on a SysV machine). All of the patches in my possession have now been integrated into these sources and tested to some extent (as of 23 Sep 92). The original sources may be regenerated by reverse-patching the context diff file "lha101u.dif". Please note that this is the limit of my involvement with this program. If you find problems or have subsequent patches, I would appreciate hearing about them, but distributing them is up to you. I do not know enough about LHa to offer compilation help or debugging suggestions, either; contact the LHa authors at the address given in "readme.eng" for that. Greg Roelofs roe2@midway.uchicago.edu --------------- From tk@sequent.com Sat May 2 14:17:18 1992 Subject: Re: Unix LHa setuid WARNING Date: Sat, 02 May 92 12:17:08 PDT From: tk@sequent.com [...] I've spent some time modifying lharc so that it more faithfully handles the restoration of various file parameters. Most of this deals with gid, uid, and the magic bits for those two critters. The UNIX (Tektronix UTek) I'm running at home appears very secure. If you're not root, chown doesn't work. "chgrp" (really a variant of the chown call) is OK as long as you're a member of the group, otherwise it's locked out too. This is the behavior of the kernel system call so there's no way around it. Also, any chown or chgrp clears the suid+setgid bits, they have to be reset. Another nice "safety" feature. So all in all... I've done everything possible to let lharc restore everything perfectly. I've included a unified diff of the changes. I also modified the archive listing code so that it shows the suid/setgid/sticky bits. That way someone can see if something is "interesting" about the archive. The other changes are cosmetic and includes your patch. Instead of "LHa" in all error messages, the actual program name is used from argv[0]. Archive listings now look like this: PERMSSN UID GID PACKED SIZE RATIO CRC STAMP NAME ----------------- ------- ------- ------ ---------- ------------ ------------- rwsr-x--- 435/2 3202 9216 34.7% -lh5- 7caa Jul 26 1988 xsh rwxr-s--- 435/20 3202 9216 34.7% -lh5- 7caa Jul 26 1988 ysh rwxr-xr-x 435/2 3202 9216 34.7% -lh5- 7caa Jul 26 1988 zotsh rwxr-x--t 435/2 3202 9216 34.7% -lh5- 7caa Jul 26 1988 zsh ----------------- ------- ------- ------ ---------- ------------ ------------- Total 4 files 12808 36864 34.7% May 2 10:32 [...] Anyway, here's my lharc patches. Feel free to pass them on to anyone along with my comments. You might let the authors know that they *shouldn't* cripple lharc. If for some reason they feel the need to clear the suid/setgid/sticky bits they should make that a compile option (ifdef) so that those of us with more secure environments can make use of the features. Oh yes, Thanks for posting the source! [...] Regards, -Tom Kloos, WS7S, Sequent Computer Systems, Inc., Beaverton, OR tk@sequent.com --------------- From root@jpradley.jpr.com Fri Jun 26 23:17:00 1992 Subject: lha 1.00 Date: Fri, 26 Jun 92 20:14:56 EDT From: root@jpradley.jpr.com (Jean-Pierre Radley ) Two months ago, you supplied a patch in alt.sources for LHa 1.00, which you said would take care of adding ".lzh" to a new archive's name if you didn't expressly type it on the command line. I find that your patch doesn't do the job. The code is a mess, in that here, ".lzh" is used literally, and there, a manifest define for the extension is used instead. I don't feel like re-working it, except that I did want the extension to be added automatically. I also wanted to have other dots in my archive names, which the original didn't allow: for example, "lha a FILE.9206 *.c" should produce an archive named FILE.9206.lzh. After I reverse your patch, I use the one that follows. [...] Jean-Pierre Radley Unix in NYC jpr@jpr.com jpradley!jpr CIS: 72160,1341