Which commands (in /bin & /usr/bin) must have set user ID (for root)

Jim Webb jrw at hropus.UUCP
Tue Oct 21 05:37:09 AEST 1986


> >Also, /etc does not need to be 775 group sys.  Make it 755.
> 
> Although /etc does not *need* to be 775 group sys, it makes ps(1) run
> much faster in most cases (see explanation below).  I don't know if 
> other standard programs make use of this situation, but I don't think 
> that it creates a security problem.  Unless other programs that are 
> setgid sys have shell escapes (I don't know of any) or access to group 
> sys is granted indiscriminately, I think that /etc should remain mode 
> 775, group sys, as distributed.  

I can think of one program off the top of my head that is setgid sys
and has two very exploitable security holes.   I would mention it here,
but I am sure that every college student listening in would try it :-).

I guess it is a tradeoff, I can become root on any standard SV machine
in under 60 seconds if /etc is 775 group sys, or ps can run slower if
/etc isn't writable by group sys.

Because of this, I guess ps should be hacked to overwrite
/etc/ps_data instead of unlinking and exclusively re-creat-ing it.
Or, make "yet another" nothing login with NONE as its passwd so that
it is IMPOSSIBLE for a non-superuser to login or su to the account,
make it the owner of /etc, 755, and make ps setuid to it.  You have to keep
ps setgid sys, otherwise you cannot get at /dev/*mem and /dev/swap.

ISN'T SECURITY FUN?

It should be noted to fellow AT&T Bell Labbers that the hole mentioned above
has been closed on most, if not all, 452 CompCenter machines, so don't waste
your time looking at all of the setgid sys programs :-)
-- 
Jim Webb             "Out of phase--get help"          ...!ihnp4!hropus!jrw
		"Use the Force, Read the Source"



More information about the Comp.unix.wizards mailing list