write clears setuid in BSD

[Daniel R. Levy]

In article <700 at copper.UUCP>, stevesu at copper.UUCP (Steve Summit) writes:
>In article <8616 at sun.uucp>, guy at sun.uucp (Guy Harris) writes:
>> >     Anyway, if a setuid program overwrites itself, it is no longer setuid!
>> It says this *in the 4BSD manual page for write(2)*; this is a Berkeleyism.
>> I consider it to be an airbag;...
>I think this airbag solves a significant class of potential
>security problems...
>/usr/bin/uniq was setuid
>root!
>But since uniq happens to take an output
>filename argument, I could have parlayed that hole into a general
>one, by using the incongrously setuid uniq to scribble a
>genuinely useful program (like /bin/sh) onto a previously setuid
>program (like /bin/passwd).

Right in principle; in practice I'd think you'd have a hard time getting
uniq to pass a binary file :-).  Still, a point well taken.

>It's true that limited write ability could still be used to
>scribble on /etc/passwd (which is less desirable for a hacker's
>purpose due to console log messages for su's), and to do a few
>more subtle tricks (which I think I won't mention).
>                                         Steve Summit

While su's may show up on the console, does it show up on the console in
BSD if a user simply logs in to an account (other than root) which shows
a UID of 0 in /etc/passwd?   SysV doesn't allow direct login to a UID 0
account except at the console, but I don't have a BSD system to try this
with.
-- 
 -------------------------------    Disclaimer:  The views contained herein are
|       dan levy | yvel nad      |  my own and are not at all those of my em-
|         an engihacker @        |  ployer or the administrator of any computer
| at&t computer systems division |  upon which I may hack.
|        skokie, illinois        |
 --------------------------------   Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa,
	   go for it!  			allegra,ulysses,vax135}!ttrdc!levy