Getting to root when the password has been lost

[Saumen K Dutta]

In article <1990Oct14.132119.27827 at athena.mit.edu> jik at athena.mit.edu (Jonathan I. Kamens) writes:
->|> anyway, I did a find and found a file that was setuid,
->|> belonged to root, and was writable by me.  I wrote a small 'C' program to
->|> change the permissions on /etc/passwd to rw-rw-rw (temporarily, of course),
->|> linked the program, cat'ted that into the setuid file, and voila.
->
->From the man page write(2) on my BSD 4.3 (well, actually, IBM AOS, but it's
->close enough) system:
->
->     If the real user is not the super-user, then write clears
->     the set-user-id bit on a file.  This prevents penetration of
->     system security by a user who captures a writable set-user-
->     id file owned by the super-user.
->
->I consider this to be a very important security feature; the fact that you
->were able to use its absence to break into root, after obtaining only access
->to a generic non-root account, is good evidence of this.  Does the NCR Tower
->not have this in its kernel (if so, I would complain to your vendor!!)?
->

In a different context I found that this feature is not implemented in
uucp. Sometime back I used to work on SCO-XENIX 2.2.1 and while sending
mails through UUCP, I noticed that if the sender machine sends a file
with set-uid on, the file is stored in the destination machine with
set-uid on. This may be considered as a security breach as an ordinary
user can have access to all uucp files on the remote machine. I would like
to know if other unix versions also permits the same.

Thanks

--
     _                                   ||Internet: skdutta at cssun.tamu.edu  
    (   /_     _ /   --/-/- _            ||Bitnet : skd8107 at tamvenus.bitnet 
   __)_/(_____(_/_(_/_(_(__(_/_______    ||Uucp : uunet!cssun.tamu.edu!skdutta
                                 ..      ||Yellnet: (409) 846-8803