UNIX file setuid sucurity hole?

psfales at ihlpl.UUCP psfales at ihlpl.UUCP
Sat Mar 14 15:27:39 AEST 1987


In article <695 at aw.sei.cmu.edu.sei.cmu.edu>, pdb at sei.cmu.edu (Patrick Barron) writes:
> 
> Of course, if you are running on a system which does allow random users to
> use chown (I've never heard of such a beastie, but just for the sake of
> argument...), I'd have have chown clear the 6000 bits of a file's protection
> as part of the chown process (and, of course, you couldn't reset them, since
> you can't chmod a file you don't own....)

On my system which I assume is running more or less vanilaa AT&T UNIX
(uname -a says "uts ihlpl 5.2.5 5 5890") it works exactly this way.  I
just tried copying /bin/cat to /tmp and making it setuid to me.  That worked
fine.  Then I did a chown (random users can chown) to give it to someone 
else and the system cleared the setuid bit.

Of course, this still does not address the trojan horse problem.
-- 
Peter Fales		UUCP:	...ihnp4!ihlpl!psfales
			work:	(312) 979-7784
				AT&T Information Systems, IW 1Z-243
				1100 E. Warrenville Rd., IL 60566



More information about the Comp.unix.wizards mailing list