On Fri, 3 Mar 1995, Christian A. Ratliff wrote: > On Thu, 2 Mar 1995 14:03:03 -0500 (EST) Larry Glaze wrote: > > I want to give admins some time to change the priveldges on the permissions > > tool so I am waiting until Monday morning (when I get to work) to post the > > exploit of this hole. > > > bugtraq is a FULL disclosure list. > > The hole comes from the authentication being at the _dirview_ (an SGI > directory browser) level. You can only pull up 'permissions' when the menu > item is not grayed out. If you run 'permissions' by hand, you eliminate > that check and have root access to the permissions on an file. > Turning the setuid/setgid bit off is a perfectly sensible solution to > this problem, and it is beyond me why that wasn't the default permissions. > I attempted to verify this problem on one of our SGI IRIX 5.2 boxes and found that with or without the sgid/suid bits set and from dirview or from the command line -- the permissions routine prompts you for a name and password of a priveledged user. I didn't check to see if password attempts were logged, but permissions seems pretty secure to me. Erik ____ _____ _______ __ Erik Lindquist / _ | / ___/ / _____/ / / Systems Administrator / /_| | / /__ / / / / AECL Whiteshell Laboratories / __ | / ___/ / / / / VOICE: (204) 753-2311x3145 / / | | / /____ / /_____ / /_____ FAX: (204) 753-2455 /_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca