Is there an FSDB Manual?
The Evil
pa1034 at sdcc13.ucsd.EDU
Tue Oct 10 13:01:16 AEST 1989
In article <890 at uniol.UUCP> lehners at uniol.UUCP (Joerg Lehners) writes:
>Executables without special privileges (ie. without s-bits) should
>never be security holes.
>Are such beast around ? If so if would like to hear about such things.
Any program which is publicly executable can potentially be a security
hole. A program can be non-SUID and still have code like:
{
exec shell to cp /bin/sh /tmp/sushi.
Now that the /tmp/sushi is owned by current owner,
do a chmod 6777 on it.
}
Surprise! the user now has the privileges of whoever runs this program.
if root runs it, BIG SURPRISE!!!
If someone gets superuser privileges he can change, or rewrite some of
the more common utilities to bestow privileged SUID bits on shell programs
when the corresponding user uses the program. (e.g. whenever root
does an 'ls' now, he unknowingly creats a root trap door for an intruder.)
Of course, don't leave programs open to the public. (Then they don't need
root privilege to do this.)
>/ Joerg Lehners | Fachbereich 10 Informatik ARBI \
John Marco
pa1034 at iugrad2.ucsd.edu
More information about the Comp.unix.wizards
mailing list