/etc/shutdown permissions

Chris Siebenmann cks at ziebmef.uucp
Thu Nov 24 16:05:25 AEST 1988


In article <336 at magnus.UUCP> mml at magnus.UUCP (Mike Levin) writes:
...
>It's also that way in release 3.51, *BUT* if you are NOT root, it gives the
>appearance of proceeding to do it's thing, and then it fails.  For example,
>it warns of killing active phone conversations, etc., but then when it tries
>to do it's thing, it fails for "unable to send signal to init".  So, it is
>probably safe.

 It will however shut down your lp spooling system; /usr/lib/lpshut is
setuid root, setgid bin, and world executable. For that matter, all of
the /usr/lib/lp* lp admin stuff is setuid and world executable, so
anyone can play with your line printer setup.

 I'll second the opinion of the person who called the 3B1 one of the
most unsecure Unix systems around straight out of the box. Numerous
important directories are world or group writeable, unsecure setuid
applications about, and other similiar problems exist. If you're
running any sort of public access site, you should take a good hard
look at your system for security holes (interested people can send me
mail and I'll write up a description of the holes I plugged here).

-- 
	"The hell I will!"	WHAK!	"Surpise, kid -- they retract!
	 Try that again and I'll kick you back. With my claws."
Chris Siebenmann		uunet!utgpu!{ontmoh!moore,ncrcan}!ziebmef!cks
cks at ziebmef.UUCP	     or	.....!utgpu!{,ontmoh!,ncrcan!brambo!}cks



More information about the Unix-pc.general mailing list