Date: Sat, 13 Jul 1996 00:47:03 -0700 (PDT) From: David Lowe <dlowe@best.com> To: security@freefall.freebsd.org Subject: dump, rdump Message-ID: <Pine.SGI.3.93.960713002509.9746A-100000@shellx.best.com>
next in thread | raw e-mail | index | archive | help
/sbin/dump and /sbin/rdump probably shouldn't be world-executable, as they are in the default config of 2.1.0-STABLE. As far as I know, this isn't a root-gaining problem, but any user can use: /sbin/dump 0f $HOME/whatever /usr (or /var) and parse the files created for interesting info. My biggest concern would be that any user could read any other's incoming or outgoing mail using this technique and a short awk program. So much for the bug description. Now my related questions. From main.c in /usr/src/sbin/dump: (void)setuid(getuid()); /* rmthost() is the only reason to be setuid */ So it would appear that the program has reverted to the real user-id. Why then is it able to read all files on /usr or /var? And yet can't open / to dump it (which would be a more severe problem, allowing access to the passwords)? I'm stumped. Thanks. : : J. David Lowe ::: dlowe@best.com ::: ai334@freenet.carleton.ca : : :: http://www.best.com/~dlowe/ ::::: ftp://ftp.best.com/web1/dlowe/ :: : : : : : : : : : finger for pgp key and geek code : : : : : : : : :
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SGI.3.93.960713002509.9746A-100000>