levy@ttrdc.UUCP (Daniel R. Levy) (11/04/86)
In article <700@copper.UUCP>, stevesu@copper.UUCP (Steve Summit) writes: >In article <8616@sun.uucp>, guy@sun.uucp (Guy Harris) writes: >> > Anyway, if a setuid program overwrites itself, it is no longer setuid! >> It says this *in the 4BSD manual page for write(2)*; this is a Berkeleyism. >> I consider it to be an airbag;... >I think this airbag solves a significant class of potential >security problems... >/usr/bin/uniq was setuid >root! >But since uniq happens to take an output >filename argument, I could have parlayed that hole into a general >one, by using the incongrously setuid uniq to scribble a >genuinely useful program (like /bin/sh) onto a previously setuid >program (like /bin/passwd). Right in principle; in practice I'd think you'd have a hard time getting uniq to pass a binary file :-). Still, a point well taken. >It's true that limited write ability could still be used to >scribble on /etc/passwd (which is less desirable for a hacker's >purpose due to console log messages for su's), and to do a few >more subtle tricks (which I think I won't mention). > Steve Summit While su's may show up on the console, does it show up on the console in BSD if a user simply logs in to an account (other than root) which shows a UID of 0 in /etc/passwd? SysV doesn't allow direct login to a UID 0 account except at the console, but I don't have a BSD system to try this with. -- ------------------------------- Disclaimer: The views contained herein are | dan levy | yvel nad | my own and are not at all those of my em- | an engihacker @ | ployer or the administrator of any computer | at&t computer systems division | upon which I may hack. | skokie, illinois | -------------------------------- Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa, go for it! allegra,ulysses,vax135}!ttrdc!levy