Guide to writing secure setuid programs?
Steve Cumming
stevec at fornax.UUCP
Tue Mar 29 04:42:32 AEST 1988
In article <347 at wsccs.UUCP>, terry at wsccs.UUCP (terry) writes:
>
> [ remarks on previous articles suppressed]
>
> 1) if /usr/spool/mail is writeable and on the same device as /etc:
>
> $ ln /etc/passwd /usr/spool/mail/fred
> $ echo "sneak::0:1:A hacker:/:/bin/sh" | mail fred
> $ su fred
> #
I tried this out on a Sun running 3.4. It don't work.
Mail is evidently smart enough to check for the existence of
the addressee, either locally or through the Yellow Pages.
I don't see as it matters whether /etc/passwd and the mail
directory are on the same file system.
Moreover, if mail doesn't run setuid, which on our site it doesn't,
then it has no special priveleges, and can't write to a soft or
hard link to a protected file.
Steve Cumming
Systems worker
School of Computing Science
SFU
ubc-vision!fornax!stevec
More information about the Comp.unix.wizards
mailing list