> of (thanks for nothing, security thru obscurity folks - the crackers DO > have information that is denied us 'ordinary' folks). This was a new > install, and it lasted about 4 days. One person heard thru the cracker > grapvine that root was broken thru /bin/mail. HOW?! The permissions- > fixing script from Sun had been run, plus things like arp, chill and the bug in /bin/mail is fairly well known (not the one that sunos has a patch out for, but the one after - after the 8lgm advisory about this, there was some talk in comp.security.unix about any setuid root /bin/mail being vunerable) as well as that "Guide to securing you SunOS 4.1.3 machine" artical talked alot about that (btw: is anyone maintaining that? it's a great file) i don't think CERT or sun has an advisory or patch for it... just the ones mentioned in comp.security.unix > > Can someone out there please infomrm me how these cracker types are getting > root privs, and how one can stop it short of disconnecting the machine? > And most important, how one can test for these vulnerabilities, and FIX > them. Is there a hole in /bin/mail? How does one test for it (I am working > on a port of net-2s /bin/mail replacement). Also, how can one prevent yes there is a bug in /bin/mail - if it is setuid root (ie: used as a delivery agent) it can be exploited to gain root access. there was an advisory about this ages ago (i forget who, some guy called Joerg Czeranski wrote it i think) - his solution was to use a local delivery agent he wrote called mail.local - if you want to close this hole, chmod u-s /bin/mail, install either procmail or the mail.local (which i have yet to find anywhere, procmail is easy to find... (i forget where.. archie is your friend), and then edit your Mlocal line in /etc/sendmail.cf to be procmail instead of /bin/mail as for the bug in it... umm.. well.. i dunno.. there is one (i won't be like jsz and say 'perhaps') and it is fairly well known and exploited.