A security hole
Brandon Allbery
allbery at ncoast.UUCP
Mon Apr 4 04:54:55 AEST 1988
As quoted from <130 at heart-of-gold> by jc at heart-of-gold (John M Chambers x7780 1E342):
+---------------
| In article <7521 at ncoast.UUCP>, allbery at ncoast.UUCP (Brandon Allbery) writes:
| > If I wasn't *real* careful with the (setuid) program which grabs incoming
| > sources.misc submissions, someone could gain write access to any of my files.
| > Such as my .login. This isn't a potential security hole? (The alternative
| > is to make a certain directory world-writeable; not a sound idea in this case.)
|
| OK, I'll bite. Here are the permissions on my home directory and .login:
|
| drwxrwxr-x 21 jc wheel 2560 Mar 24 08:30 .
| -rw-r--r-- 2 jc wheel 250 Jan 29 14:53 .login
|
| And here's the rnews command:
|
| 22531 -rwsr-sr-x 2 news news 114688 Mar 17 13:33 /news/bin/rnews
|
| Explain to me how someone could use this setuid-news, setgid-news program
| to write into my .login file. Now need to explain further; I do appreciate
+---------------
-rwsr-xr-x 1 allbery System 56462 Mar 20 16:33 /u/allbery/bin/stash
Recall that moderated submissions are *mailed* to the moderator, not posted.
And, of course, I should hope that I own my home directory and .login.
--
Brandon S. Allbery, moderator of comp.sources.misc
{well!hoptoad,uunet!hnsurg3,cbosgd,sun!mandrill}!ncoast!allbery
More information about the Comp.bugs.sys5
mailing list