Date: Tue, 25 Jun 1996 02:22:11 -0700 (PDT) From: -Vince- <vince@mercury.gaianet.net> To: Don Yuniskis <dgy@rtd.com> Cc: dgy@rtd.com, mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <Pine.BSF.3.91.960625022147.21697p-100000@mercury.gaianet.net> In-Reply-To: <199606250903.CAA01576@seagull.rtd.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996, Don Yuniskis wrote: > It seems that -Vince- said: > > > > On Tue, 25 Jun 1996, Don Yuniskis wrote: > > > > > It seems that -Vince- said: > > > > Hmmm, that's only if we had phone support.... We don't :) but do > > > > admins really go run a program that the user said won't run? > > > > > > Well, it *appears* that one of *you* did! :> > > > > Well, jbhunt was the one who gave the user the account and the > > user just transferred the root which is /bin/sh with setuid and ran it > > and he got root.... > > Um, someone can (and undoubtedly *will* :>) correct me if I'm wrong > but there's *NO WAY* to install a setuid binary *without* having root > in the first place! So, he could copy the program onto your > machine and the system would strip the "setuid" bit automatically. > Otherwise, there's no point in the setuid mechanism as anyone could make > a setuid binary on their own system and just upload it to yours! Yeah, that's what I'm trying to figure out... Vince
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625022147.21697p-100000>