bph@buengc.BU.EDU (Blair P. Houghton) (10/12/89)
In article <1288@sdcc13.ucsd.EDU> pa1034@sdcc13.ucsd.edu.UUCP (The Evil(tm) One) writes: Whoever chose your name chose well... >Any program which is publicly executable can potentially be a security >hole. A program can be non-SUID and still have code like: > { > exec shell to cp /bin/sh /tmp/sushi. > Now that the /tmp/sushi is owned by current owner, > do a chmod 6777 on it. > } >Surprise! the user now has the privileges of whoever runs this program. >if root runs it, BIG SURPRISE!!! It can't be stopped, no. There is a way, though, to check for the results of such things. (This is paraphrased from the security chapter in Fiedler and Hunter, UNIX(tm) System Administration, Hayden, Indianapolis, 1986.) find / -perm -4000 -exec ls -ldg \{\} \; will find all files with the setuid bit set. I do it every once in a while just to see what's up, and it only returns a few dozen lines. If you really want to check, you should probably run every one of the listed programs to make sure it's still the program it's supposed to be. Then again, you could just diff it with a master list you keep locked away somewhere, then have it mail you and pull the fire alarm if anything ever changes... --Blair "Crank, crank, crank..."