Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 25 Jun 1996 13:27:02 -0700 (PDT)
From:      -Vince- <vince@mercury.gaianet.net>
To:        Andrew.Gordon@net-tel.co.uk
Cc:        security@freebsd.org, jbhunt <jbhunt@mercury.gaianet.net>, Chad Shackley <chad@mercury.gaianet.net>
Subject:   Re: Re(2): I need help on this one - please help me track this guy down!
Message-ID:  <Pine.BSF.3.91.960625132607.25073F-100000@mercury.gaianet.net>
In-Reply-To: <"811-960625150230-D047*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"@MHS>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Jun 1996 Andrew.Gordon@net-tel.co.uk wrote:

> > -Vince- stands accused of saying:
> > > 
> > >       Yeah, you have a point but jbhunt was watching the user as he 
> > > hacked root since he brought the file from his own machine.... so that 
> > > wasn't something the admin was tricked into doing..
> 
> But what file transfer mechanism was used?  NFS maybe?
> 
> Certainly a simple NFS mount of an untrusted machine is a dangerous thing to do, since setuids on those files will be obeyed.  Maybe you allow this via an incautious AMD map?
> 
> Personally, I like to mount all NFS filesystems "nosuid" - and likewise for all local systems exported by NFS (I don't normally export / or /usr).  Most users have no business creating setuid programs in their filespace, and such a policy would most likely have prevented this breach even if the setuid binary was created by some other means.

	Probably ftp using a compressed tar or gzipped tar binary...

Vince




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960625132607.25073F-100000>