UNIX file setuid sucurity hole?
psfales at ihlpl.UUCP
psfales at ihlpl.UUCP
Sat Mar 14 15:27:39 AEST 1987
In article <695 at aw.sei.cmu.edu.sei.cmu.edu>, pdb at sei.cmu.edu (Patrick Barron) writes:
>
> Of course, if you are running on a system which does allow random users to
> use chown (I've never heard of such a beastie, but just for the sake of
> argument...), I'd have have chown clear the 6000 bits of a file's protection
> as part of the chown process (and, of course, you couldn't reset them, since
> you can't chmod a file you don't own....)
On my system which I assume is running more or less vanilaa AT&T UNIX
(uname -a says "uts ihlpl 5.2.5 5 5890") it works exactly this way. I
just tried copying /bin/cat to /tmp and making it setuid to me. That worked
fine. Then I did a chown (random users can chown) to give it to someone
else and the system cleared the setuid bit.
Of course, this still does not address the trojan horse problem.
--
Peter Fales UUCP: ...ihnp4!ihlpl!psfales
work: (312) 979-7784
AT&T Information Systems, IW 1Z-243
1100 E. Warrenville Rd., IL 60566
More information about the Comp.unix.wizards
mailing list