home *** CD-ROM | disk | FTP | other *** search
- Path: sparky!uunet!dtix!darwin.sura.net!mips!sdd.hp.com!hpscdc!hplextra!otter.hpl.hp.com!otter!sjmz
- From: sjmz@otter.hpl.hp.com (Stefek Zaba)
- Newsgroups: comp.security.misc
- Subject: Re: Re: root-owned world-writable files
- Message-ID: <61350001@otter.hpl.hp.com>
- Date: 22 Jul 92 20:53:53 GMT
- References: <1992Jul21.201056.662@newshost.lanl.gov>
- Organization: Hewlett-Packard Laboratories, Bristol, UK.
- Lines: 23
-
- In comp.security.misc, jfowler@beta.lanl.gov (John C. Fowler) writes that
- world-writeable root-owned files are only a problem if root trusts the
- file contents. This is false: sometimes an attack requirtes a root-owned
- file to succeed, and by linking (hard or symbolic) to the carelessly-left
- file, this attack will succeed.
-
- For example: a wannabe sysadmin leaves their home directory world-writeable.
- This allows the attacker to plant a .rhosts file which will allow them in.
- However, the authentication mechanism requires that .rhosts be owned by
- the user. If you find a world-writeable root-owned file on the same volume,
- you can now ln it to /root/wannabe/.rhosts... Similarly for other "trusted"
- files. Granted, the "real" problem is the writeability of the affected
- directory, but the world-writeable root-owned file is still an essential
- element in allowing the attack to succeed.
-
- [Any similarity to a FOR-LOCAL-DEMONSTRATION-PURPOSES-ONLY "attack" a good
- few years ago as part of educating a new sysadmin is less than entirely
- coincidental.]
-
- I can think of no useful purpose for root-owned world-writeable files; but
- I'm sure the net's collective wisdom can come up with a few plausible ones...
-
- Toodle-pip, Stefek
-
