From owner-freebsd-security  Mon Jul 28 14:04:01 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id OAA02728
          for security-outgoing; Mon, 28 Jul 1997 14:04:01 -0700 (PDT)
Received: from rocky.mt.sri.com (rocky.mt.sri.com [206.127.76.100])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id OAA02710
          for <security@freebsd.org>; Mon, 28 Jul 1997 14:03:57 -0700 (PDT)
Received: (from nate@localhost) by rocky.mt.sri.com (8.7.5/8.7.3) id PAA07719; Mon, 28 Jul 1997 15:00:57 -0600 (MDT)
Date: Mon, 28 Jul 1997 15:00:57 -0600 (MDT)
Message-Id: <199707282100.PAA07719@rocky.mt.sri.com>
From: Nate Williams <nate@mt.sri.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
To: "Jonathan A. Zdziarski" <jonz@netrail.net>
Cc: Robert Watson <robert+freebsd@cyrus.watson.org>,
        Vincent Poy <vince@mail.mcestate.com>,
        Tomasz Dudziak <loco@onyks.wszib.poznan.pl>, security@freebsd.org,
        "[Mario1-]" <mario1@primenet.com>, JbHunt <johnnyu@accessus.net>
Subject: Re: security hole in FreeBSD
In-Reply-To: <Pine.BSF.3.95q.970728154922.12468A-100000@netrail.net>
References: <Pine.BSF.3.95q.970728142652.3342F-100000@cyrus.watson.org>
	<Pine.BSF.3.95q.970728154922.12468A-100000@netrail.net>
X-Mailer: VM 6.29 under 19.15 XEmacs Lucid
Sender: owner-freebsd-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> There IS one common hole I've seen apache and stronghold have, and that is
> that some people like to leave their sessiond or httpd files owned by
> 'nobody'.  This allows somebody running CGI on that system to replace
> those binaries with their own, hacked binaries (since the scripts are
> usually owned as nobody), and the next time httpd starts, they can make it
> write a root shell, or just about anything along those lines.

If it's running as 'nobody', it can't create a root shell.  It can
create a 'nobody' shell though...



Nate