home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.security.misc
- Path: sparky!uunet!think.com!ames!data.nas.nasa.gov!ace.nas.nasa.gov!jns
- From: jns@ace.nas.nasa.gov (John N. Stewart)
- Subject: Re: Setuid file
- References: <chupchup.720790116@piggy> <1d9ggiINNsfb@sequoia.ccsd.uts.EDU.AU>
- Sender: news@nas.nasa.gov (News Administrator)
- Organization: NAS, NASA Ames Research Center, Moffett Field, California
- Date: Mon, 9 Nov 92 18:33:58 GMT
- Message-ID: <1992Nov9.183358.12335@nas.nasa.gov>
- Lines: 37
-
-
- In article <1d9ggiINNsfb@sequoia.ccsd.uts.EDU.AU> mgream@acacia (Matthew Gream) writes:
- >Robert Earl (chupchup@ferkel.ucsb.edu) wrote:
- >:
- >: | Found this on one of our systems. Anyone know if there is any way
- >: | this could be used to obtain root access?
- >: | -rwsr-xr-x 1 root 0 Apr 7 1992 file
- >:
- >: | Yes, most of the holes that work for setuid-shell scripts will work
- >: | for this file, even though it is empty.
-
- >No one yet asked what OS this was, HP-UX doesnt clear the setuid-bit on
- >an append (at least It didnt in one of its installed versions ive seen),
- >so appending a shell script to make a setuid shell is a trivial job.
- >
- >Correct me if im wrong.
-
-
- Not wrong -- SGI's don't do it either (e.g. the files setuid-bit is
- left alone). The only addition to this is that this file can only be
- appended to by root -- and if the whole point is to get root through
- this method -- well, it seems to be a catch-22.
-
- There is a simple logic -- anything that is setuid has a potential --
- it's intuitive. Sure, an empty file may not seem bad -- but there are
- potential risks.
-
- My $0.02 worth ...
-
- --Ace
-
-
-
- John Stewart (Ace)
- CSS/DSS/Security/Postmaster/NewsAdmin
- NASA Ames Research Center
- (415) 604-4345
-
