Guide to writing secure setuid programs?

John Young jgy at hropus.UUCP
Wed Mar 30 02:10:49 AEST 1988


> In article <347 at wsccs.UUCP>, terry at wsccs.UUCP (terry) writes:
> >
> >	[ remarks on previous articles suppressed]
> > 
> > 	1) if /usr/spool/mail is writeable and on the same device as /etc:
> > 
> > 		$ ln /etc/passwd /usr/spool/mail/fred
> > 		$ echo "sneak::0:1:A hacker:/:/bin/sh" | mail fred
> > 		$ su fred
> > 		#
> 
> I tried this out on a Sun running 3.4. It don't work. 
> Mail is evidently smart enough to check for the existence of 
> the addressee, either locally or through the Yellow Pages.
> 
> I don't see as it matters whether /etc/passwd and the mail
> directory are on the same file system.
> 

OK.  Just take a look at the crontabs entries, /etc/rc entries,
/etc/backup_stuff entries and so on and so on (temp files for
ps, sar, etc....) for any refrences to files in /tmp or /usr/tmp.
Link the /etc/passwd file to that /tmp/file and either run the
command or wait for cron/root to run it for you!  BANG there goes
the password file!  If you pick the right utility, it will change
the modes so you can make your own entries.
SYSV's sticky directory bit's will do nothing for this.

The answer,  keep the /etc on a filesystem which does not need
contain directories writeable by "normal"(abnormal?) users.
Ideally, of course the whole root fs would be write protected
while in multi-user.



More information about the Comp.unix.wizards mailing list