mailing list archives
Re: From the moderator: READ Please
From: claudio () fire di unipi it (Claudio Telmon)
Date: Mon, 22 May 1995 11:03:20 +0200
I'm sorry for the wasted bandwidth, so I'll send something more interesting
(I hope :)). Two problems, not really bugs. I've found them on Linux, but you
may find them on other u**x too.
1) Some new releases of sendmail install the program as group kmem.
I can't see any good reason for this, if I'm wrong please correct me. This
group is dangerous, because it is able to read the kernel and physical memory.
I was able to get a shell as group kmem via the old ident bug, and to find some
fragments of the shadow passwords file in the kernel memory. Newer bugs may
give the same opportunity.
2) There is a (known?) way to run an arbitrary script files as suid/sgid
without the neeed to set the permissions bits.
All you need is write permissions in the /var/spool/atjobs directory.
This because atrun uses the user/group of the files in the directory to
suid/sgid before execution. If you can add a link in the directory to your
target file, atrun will execute it as suid/sgid.
If you have write permissions to a file, you can write a script in it and
run it suid to the owner. There are some limits: it won't work on a NFS
mounted file system, and maybe it works only on the file system of
/var/spool/atjobs. The problem, IMHO, is that using file ownership as
sticky bits is not correct.
On my linux, the directory is owned by bin. Bin haves little or no other
permissions ( most files are owned by root), but this way it becomes a
very dangerous user.
italian note/not about bugs/xlated theora jones (May 19)
Re: Solaris 2.x utmp hole Miguel Esteves. Rui Lopes (May 22)
Re: Solaris 2.x utmp hole der Mouse (May 19)
Re: Solaris 2.x utmp hole UM_584975868 () suagm3 suagm edu (May 19)
Re: Solaris 2.x utmp hole Neil Woods (May 22)