3b1 security and removal of ua
John R. MacMillan
john at chance.UUCP
Fri Apr 12 15:25:48 AEST 1991
|There is a function in the TAM library, eprintf(3T), that is used to
|print error messages. It is how the ! and !! icons get on the first
|line of your screen. Also, the calendar icon if you are using the
|pcal program.
|
|I believe eprintf writes to /dev/error, which is read by smgr.
|
|It all seems pretty innocuous, display an icon, print a message when
|a user clicks on the icon. No danger there.
|
|EXCEPT, one of the arguments to eprintf(3T) is what to do when the
|user clicks on the icon. And one of the possibilities is ST_EXEC;
|execute a program!!!
|
|Guess which user id, and in which directory the program is executed;
|
|You security hounds are right: by root and in the root directory.
Tom Kelly <tom at ancilla> pointed this out at one time. I think he also
ST_LOG was a problem, since you can use it to write any file (eg.
/etc/passwd), as root.
Very scary, and just another reason to not run smgr. (I don't; I use
mgr.)
|So, essentially, anyone with access to your C compiler has access to
|your entire machine!
Who needs a C compiler? Try:
echo ":D:E::/usr/bin/id\c" > /dev/error
|Sleep comfortably last night?
I slept just fine...
More information about the Comp.sys.3b1
mailing list