From owner-freebsd-security Mon Jun 24 17:51:38 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA28049 for security-outgoing; Mon, 24 Jun 1996 17:51:38 -0700 (PDT) Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA28038; Mon, 24 Jun 1996 17:51:34 -0700 (PDT) Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id KAA25110; Tue, 25 Jun 1996 10:55:44 +0930 From: Michael Smith Message-Id: <199606250125.KAA25110@genesis.atrad.adelaide.edu.au> Subject: Re: I need help on this one - please help me track this guy down! To: mark@grumble.grondar.za.@grondar.za (Mark Murray) Date: Tue, 25 Jun 1996 10:55:43 +0930 (CST) Cc: richardc@CSUA.Berkeley.EDU, mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org In-Reply-To: <199606242043.WAA06435@grumble.grondar.za> from "Mark Murray" at Jun 24, 96 10:43:36 pm MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Mark Murray stands accused of saying: > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > ^ > | This is a setuid prog. The program is owned by root, and is > SETUID, therefore it will run as if it were root. It is > probably a shell (bash, sh, csh) renamed to root and setuid. > "chmod 755 root" will cut it down to size. lovely:~>ls -l /bin/sh -r-xr-xr-x 1 bin bin 278528 Jun 19 20:34 /bin/sh The question is, of course, what a setuid-root copy of /bin/sh is doing in this user's home directory. Have you fixed the 'modload' hole on this system yet? > Mark Murray -- ]] Mike Smith, Software Engineer msmith@atrad.adelaide.edu.au [[ ]] Genesis Software genesis@atrad.adelaide.edu.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control (ph/fax) +61-8-267-3039 [[ ]] Collector of old Unix hardware. "Where are your PEZ?" The Tick [[