From owner-freebsd-security Tue Jun 25 08:08:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA05769 for security-outgoing; Tue, 25 Jun 1996 08:08:09 -0700 (PDT) Received: from eldorado.net-tel.co.uk (eldorado.net-tel.co.uk [193.122.171.253]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id IAA05673 for ; Tue, 25 Jun 1996 08:07:50 -0700 (PDT) From: Andrew.Gordon@net-tel.co.uk Received: (from root@localhost) by eldorado.net-tel.co.uk (8.6.12/8.6.10) id QAA13643 for security@freebsd.org; Tue, 25 Jun 1996 16:07:06 +0100 Received: from "/PRMD=NET-TEL/ADMD=GOLD 400/C=GB/" by net-tel.co.uk (Route400-RFCGate); Tue, 25 Jun 96 16:02:11 +0100 X400-Received: by mta "eldorado" in "/PRMD=net-tel/ADMD=gold 400/C=gb/"; Relayed; Tue, 25 Jun 96 16:02:11 +0100 X400-Received: by mta "net-tel cambridge" in "/PRMD=net-tel/ADMD=gold 400/C=gb/"; Relayed; Tue, 25 Jun 96 15:02:09 +0000 X400-Received: by "/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"; Relayed; Tue, 25 Jun 96 15:02:08 +0000 X400-MTS-Identifier: ["/PRMD=NET-TEL/ADMD=Gold 400/C=GB/";hst:17886-960625150208-0ED7] X400-Content-Type: P2-1984 (2) X400-Originator: Andrew.Gordon@net-tel.co.uk Original-Encoded-Information-Types: IA5-Text X400-Recipients: security@freebsd.org Date: Tue, 25 Jun 96 15:02:08 +0000 X400-Content-Identifier: Re(2): I need he Message-Id: <"811-960625150230-D047*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"@MHS> To: list:; Cc: security@freebsd.org In-Reply-To: <199606251242.WAA00732@genesis.atrad.adelaide.edu.au> Subject: Re(2): I need help on this one - please help me track this guy down! Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > -Vince- stands accused of saying: > > > > Yeah, you have a point but jbhunt was watching the user as he > > hacked root since he brought the file from his own machine.... so that > > wasn't something the admin was tricked into doing.. But what file transfer mechanism was used? NFS maybe? Certainly a simple NFS mount of an untrusted machine is a dangerous thing to do, since setuids on those files will be obeyed. Maybe you allow this via an incautious AMD map? Personally, I like to mount all NFS filesystems "nosuid" - and likewise for all local systems exported by NFS (I don't normally export / or /usr). Most users have no business creating setuid programs in their filespace, and such a policy would most likely have prevented this breach even if the setuid binary was created by some other means.