From owner-freebsd-security Tue Jun 25 13:27:49 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA14233 for security-outgoing; Tue, 25 Jun 1996 13:27:49 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA14202 for ; Tue, 25 Jun 1996 13:27:39 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA15269; Tue, 25 Jun 1996 13:27:02 -0700 (PDT) Date: Tue, 25 Jun 1996 13:27:02 -0700 (PDT) From: -Vince- To: Andrew.Gordon@net-tel.co.uk cc: security@freebsd.org, jbhunt , Chad Shackley Subject: Re: Re(2): I need help on this one - please help me track this guy down! In-Reply-To: <"811-960625150230-D047*/G=Andrew/S=Gordon/O=NET-TEL Computer Systems Ltd/PRMD=NET-TEL/ADMD=Gold 400/C=GB/"@MHS> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996 Andrew.Gordon@net-tel.co.uk wrote: > > -Vince- stands accused of saying: > > > > > > Yeah, you have a point but jbhunt was watching the user as he > > > hacked root since he brought the file from his own machine.... so that > > > wasn't something the admin was tricked into doing.. > > But what file transfer mechanism was used? NFS maybe? > > Certainly a simple NFS mount of an untrusted machine is a dangerous thing to do, since setuids on those files will be obeyed. Maybe you allow this via an incautious AMD map? > > Personally, I like to mount all NFS filesystems "nosuid" - and likewise for all local systems exported by NFS (I don't normally export / or /usr). Most users have no business creating setuid programs in their filespace, and such a policy would most likely have prevented this breach even if the setuid binary was created by some other means. Probably ftp using a compressed tar or gzipped tar binary... Vince