Date: Tue, 25 Jun 1996 01:35:28 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Johann Visagie <jvisagie@insight.co.za> Cc: mark@grumble.grondar.za, hackers@FreeBSD.org, security@FreeBSD.org, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625013326.21697m-100000@mercury.gaianet.net> In-Reply-To: <m0uYTO8-000vDSC@asterix.insight.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Johann Visagie wrote: > -Vince- wrote: > > > > Hmmm, really? It seems like almost all systems root has . for the > > path but if the directory for root is like read, write, execute by root > > only, how will they get into it? > > -Vince- also writes (in response to Mark Murray): > > > > For much more info, I recommend "Practical Unix Security" from > > > O'Reilly and Associates, (By Garfinkel?) > > > > I have that book but there are always ways no one knows about ;) > > I would suggest you _read_ it ;), specifically page 151 ff. (assuming you > have the first edition), where path attacks are described. To summarise an > example in that section: > > 1) User realises root as '.' in his path > 2) User creates a file called something funny like '-i' in his home > directory > 3) User creates a script called 'ls' in his home directory, which first > attempts to create a setuid root shell somewhere, and then calls the > "real" /bin/ls > 4) User tells his sysadmin there's a "funny file" in his home directory that > he can't get rid of > 5) Rood cd's to user's home directory and types "ls" to see what's going on. > 6) Voila! Yes but what happens if it was like this case: 1) user knows sysadmin so sysadmin creates account for him 2) user logs in and puts a file named root with the sysadmin watching him 3) user runs root and gets root... this only works if the user is using bash or sh for the login shell, if you use csh or tcsh, it doesn't work. Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625013326.21697m-100000>