Who dat?

Chuck Karish karish at denali.stanford.edu
Fri Jul 22 01:42:26 AEST 1988


In article <51 at minya.UUCP> jc at minya.UUCP (John Chambers) writes:
>In article <3789 at rpp386.UUCP>, jfh at rpp386.UUCP (John F. Haugh II) writes:
>> In article <2310 at rtech.rtech.com> daveb at rtech.com (Dave Brower) writes:
>> >How can the server find out who the client is, in a spoof-proof and
>> >secure way?

>> have the client create a file with the suid and sgid bits set. 

>Let's see, what I do when you ask my process A to create this file is
>to have a program B sitting around that is setuid/setgid to whomever
>I want you to think A is; A would start up B as a subprocess, with the
>desired filename in argv[1]; B would create it.  How would you determine
>that A isn't this uid/gid combination?

This describes a situation in which the user has successfully created
a live Trojan horse.  It means that the user has cooperation from
the owner of the setuid file, or knew the super user password at some
time in the past.  In either case, security has been compromised in
ways that can't be detected under SysV.  An obvious administrative fix
is to scan periodically for setuid programs.



Chuck Karish	ARPA:	karish at denali.stanford.edu
		BITNET:	karish%denali at forsythe.stanford.edu
		UUCP:	{decvax,hplabs!hpda}!mindcrf!karish
		USPS:	1825 California St. #5   Mountain View, CA 94041



More information about the Comp.unix.wizards mailing list