Date: Tue, 25 Jun 1996 02:03:35 -0700 (MST) From: Don Yuniskis <dgy@rtd.com> To: vince@mercury.gaianet.net (-Vince-) Cc: dgy@rtd.com, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <199606250903.CAA01576@seagull.rtd.com> In-Reply-To: <Pine.BSF.3.91.960625015113.21697o-100000@mercury.gaianet.net> from "-Vince-" at Jun 25, 96 01:52:02 am
next in thread | previous in thread | raw e-mail | index | archive | help
It seems that -Vince- said: > > On Tue, 25 Jun 1996, Don Yuniskis wrote: > > > It seems that -Vince- said: > > > Hmmm, that's only if we had phone support.... We don't :) but do > > > admins really go run a program that the user said won't run? > > > > Well, it *appears* that one of *you* did! :> > > Well, jbhunt was the one who gave the user the account and the > user just transferred the root which is /bin/sh with setuid and ran it > and he got root.... Um, someone can (and undoubtedly *will* :>) correct me if I'm wrong but there's *NO WAY* to install a setuid binary *without* having root in the first place! So, he could copy the program onto your machine and the system would strip the "setuid" bit automatically. Otherwise, there's no point in the setuid mechanism as anyone could make a setuid binary on their own system and just upload it to yours!
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606250903.CAA01576>