Home page logo

bugtraq logo Bugtraq mailing list archives

Digital Unix 4.0E /var permission
From: v13 () AETOS IT TEITHE GR (Harhalakis Stefanos)
Date: Sun, 4 Apr 1999 20:31:12 +0300

 On Digital Unix 4.0E with the latest patch kit aplied, after a new
installation /var has g+w for group system. Anyone that can crack any
account with gid==system may exploit this (not tested but there should be
no problem with mv'ing /var/sbin, /var/adm etc etc..). It seems that CDE
is forcing g+w to /var.. The whole thing is done while executing
/sbin/rc3.d/S95xlogin and only if CDE is selected.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]