A security hole
00704a-Liber
nevin1 at ihlpf.ATT.COM
Thu Mar 31 08:32:15 AEST 1988
In article <130 at heart-of-gold> jc at heart-of-gold (John M Chambers x7780 1E342) writes:
.OK, I'll bite. Here are the permissions on my home directory and .login:
.
.drwxrwxr-x 21 jc wheel 2560 Mar 24 08:30 .
.-rw-r--r-- 2 jc wheel 250 Jan 29 14:53 .login
.
.And here's the rnews command:
.
.22531 -rwsr-sr-x 2 news news 114688 Mar 17 13:33 /news/bin/rnews
.
.Explain to me how someone could use this setuid-news, setgid-news program
.to write into my .login file. Now need to explain further; I do appreciate
.why I wouldn't want you to do that. But I don't quite see how this setup
.makes it possible.
It is not possible for someone to *directly* abuse this to write to your
(uid=jc, gid=wheel) .login file. However, someone may be able to abuse
rnews and become uid=news, gid=news. They would then have access to all of
news's files. This is where the security break is.
BTW, some time ago I saw a file with the following permissions:
-rwsrwsrwx foo bar somefile
>From a security standpoint, what's wrong with this picture?? (Please DON'T
post answers to this question; it is merely rhetorical.)
--
_ __ NEVIN J. LIBER ..!ihnp4!ihlpf!nevin1 (312) 510-6194
' ) ) "The secret compartment of my ring I fill
/ / _ , __o ____ with an Underdog super-energy pill."
/ (_</_\/ <__/ / <_ These are solely MY opinions, not AT&T's, blah blah blah
More information about the Comp.bugs.sys5
mailing list