Re: Solaris problems?
jsz (jsz@ramon.bgu.ac.il)
Sun, 31 Jul 94 1:32:30 IDT
>
>
> Three solaris-related things I'd like to ask the list-- and if
> you know, and are willing to share this info (key point here), please
> speak up.
>
> 1) /var/mail is world writable, but has a sticky bit to prevent
> people from removing other people's mailboxes. Still, I
> can create mailboxes for users who don't have them (like smtp) ..
> will this pose a problem in the future?
>
> I know that if sendmail had some sort of support for v7
> forwarding capabilties (ie; /var/mail/smtp contains
> Forward to |/tmp/foosh, then mail to smtp runs /tmp/foosh
> as uid smtp, which just happens to be 0 on our systems)
> this would be an easy exploit.. but apparently sendmail
> 8.6.9 doesn't hold to those kind of conventions (thank gods)
>
> 2) it was recently pointed out to me that /dev/tcp and /dev/ip
> were mode 666; could this be a problem? I thought maybe
> you could dump crap into them and it would possibly hose
> something.. or worse, you could just cat 'em and look
> at traffic. While both of these are probabally unlikely,
> does anyone know for certain? And is it safe to chmod 600
> these?
You can relate both to "permission problems" under Solaris, looking carefully
over the filesystem, you could find out that SMI ships Solaris 2.X with /etc
directory writeable for "sys" group, which shouldn't be.
So if you become root, bin, adm, or sys (or any other user with sys privileges)
you can easily modify an /etc/passwd & shadow and become root.
crash(1) allows you to snoop through kmem too (inherited from SunOS)
---Me.