home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.security.misc
- Path: sparky!uunet!ferkel.ucsb.edu!taco!gatech!swrinde!elroy.jpl.nasa.gov!usc!rpi!scott.skidmore.edu!psinntp!psinntp!pool!buck
- From: buck@pool.info.sunyit.edu (Jesse Buckley)
- Subject: Re: Setuid file
- Message-ID: <1992Nov10.151709.5734@pool.info.sunyit.edu>
- Organization: State University of New York -- Institute of Technology
- References: <chupchup.720790116@piggy> <1d9ggiINNsfb@sequoia.ccsd.uts.EDU.AU> <1992Nov9.183358.12335@nas.nasa.gov>
- Date: Tue, 10 Nov 1992 15:17:09 GMT
- Lines: 34
-
- In article <1992Nov9.183358.12335@nas.nasa.gov> jns@ace.nas.nasa.gov (John N. Stewart) writes:
- >
- >In article <1d9ggiINNsfb@sequoia.ccsd.uts.EDU.AU> mgream@acacia (Matthew Gream) writes:
- >>Robert Earl (chupchup@ferkel.ucsb.edu) wrote:
- >>:
- >>: | Found this on one of our systems. Anyone know if there is any way
- >>: | this could be used to obtain root access?
- >>: | -rwsr-xr-x 1 root 0 Apr 7 1992 file
- >>:
- >>: | Yes, most of the holes that work for setuid-shell scripts will work
- >>: | for this file, even though it is empty.
- >
- >>No one yet asked what OS this was, HP-UX doesnt clear the setuid-bit on
- >>an append (at least It didnt in one of its installed versions ive seen),
- >>so appending a shell script to make a setuid shell is a trivial job.
- >>
- >>Correct me if im wrong.
- >
- >
- >Not wrong -- SGI's don't do it either (e.g. the files setuid-bit is
- >left alone). The only addition to this is that this file can only be
- >appended to by root -- and if the whole point is to get root through
- >this method -- well, it seems to be a catch-22.
- >
- >There is a simple logic -- anything that is setuid has a potential --
- >it's intuitive. Sure, an empty file may not seem bad -- but there are
- >potential risks.
-
- Like a "hideing" place for suid stuff.
-
-
- --
- =) Buck (buck@sunyit.edu)
- "Crime does not pay ... as well as politics." -- A. E. Newman
-
