Re: bin ownership problem
Brad Powell - Sun CIS (Brad.Powell@ebay.sun.com)
Thu, 19 May 94 10:12:22 PDT
>A prime example is /usr/games/chesstool on sunos 4.1.x machines. It came
>setuid bin for some unknown reason (I have this theory there is someone
>assigned at sun to just put random permissions on programs
>before they hit the cd :-). Well, if you pop up sunview which is needed
>to run this, you can get any program you want run as user bin. And guess
>what, /etc is owned by bin on a standard install.
we had to change the setuid to bin when we changed the ownership of /etc
to bin. Otherwise you couldn't use chesstool to break root :-) :-)
(that was a joke for the smiley impaired btw)
Seriously though this was done so that it could write a high score file.
STUPID idea I know, but back a dozen years or so ago life was simplier
the grass was greener, and system-crackers were rare. :-)
The late 70's and 80's were the years when the emphasis was on getting
every computer system to talk to and work with every other computer system.
Now in the 90's we are trying to shut them up. :-0
Lesson;
Watch out for setuid/setgid programs that allow a shell escape :-) :-\ :-|
=======================================================================
Brad Powell : brad.powell@Sun.COM |
|
Full Time: Sr. Network Security Analyst |Part time: Cyberspace PI
ENS Network Security Group | and Consultant
Sun Microsystems Inc. |
=======================================================================
The views expressed are those of the author and may
not reflect the views of Sun Microsystems Inc.
=======================================================================