> > > Three solaris-related things I'd like to ask the list-- and if > you know, and are willing to share this info (key point here), please > speak up. > > 1) /var/mail is world writable, but has a sticky bit to prevent > people from removing other people's mailboxes. Still, I > can create mailboxes for users who don't have them (like smtp) .. > will this pose a problem in the future? > > I know that if sendmail had some sort of support for v7 > forwarding capabilties (ie; /var/mail/smtp contains > Forward to |/tmp/foosh, then mail to smtp runs /tmp/foosh > as uid smtp, which just happens to be 0 on our systems) > this would be an easy exploit.. but apparently sendmail > 8.6.9 doesn't hold to those kind of conventions (thank gods) > > 2) it was recently pointed out to me that /dev/tcp and /dev/ip > were mode 666; could this be a problem? I thought maybe > you could dump crap into them and it would possibly hose > something.. or worse, you could just cat 'em and look > at traffic. While both of these are probabally unlikely, > does anyone know for certain? And is it safe to chmod 600 > these? You can relate both to "permission problems" under Solaris, looking carefully over the filesystem, you could find out that SMI ships Solaris 2.X with /etc directory writeable for "sys" group, which shouldn't be. So if you become root, bin, adm, or sys (or any other user with sys privileges) you can easily modify an /etc/passwd & shadow and become root. crash(1) allows you to snoop through kmem too (inherited from SunOS) ---Me.