Begin forwarded message:
> <vuln-dev_at_lists.securityfocus.com>:
> ezmlm-reject: fatal: Sorry, I don't accept messages of MIME
> Content-Type 'multipart/alternative' (#5.2.3)
>
> --- Below this line is a copy of the message.
>
> Attached is some questions I had on file system permissions.
>
>
> --Apple-Mail-1355773572-2
> Content-Disposition: attachment;
> filename="permissions.txt"
> Content-Type: text/plain;
> name="permissions.txt";
> x-unix-mode=0644
> Content-Transfer-Encoding: quoted-printable
>
> I am confused as to how permissions are set on symbolic links and normal
> files created by the average joe schmoe user with standard privs on
> OSX.=20=
>
> My exact version info is ... Darwin Kernel Version 1.3.7: Sat=20
> Jun 9 11:12:48 PDT 2001; root:xnu/xnu-124.13.obj~1/RELEASE_PPC=20
> on OSX 10.0.4 Build 4Q12. Let me walk you through my confusion.=20
>
> Clicked System Prefs then went to users and filled out the form to
> make =
> a user.
> I made sure I did not check the box to allow this user to admin the box
>
> Telnet in and login as joeschmoe
> [osxinsightrrcom:/tmp] root# telnet localhost
> Trying 127.0.0.1...
> Connected to localhost.
> Escape character is '^]'.
>
> Darwin/BSD (osxinsightrrcom) (ttyp3)
>
> login: joeschmoe
> Password:
> Welcome to Darwin!
> [osxinsightrrcom:~] joeschmo% id
> uid=3D504(joeschmo) gid=3D20(staff) groups=3D20(staff)
>
> Looks like the only groups I am in are staff.=20
>
> [osxinsightrrcom:~] joeschmo% pwd
> /Users/joeschmo
> [osxinsightrrcom:~] joeschmo% touch file=20
> [osxinsightrrcom:~] joeschmo% ls -al file
> -rw-r--r-- 1 joeschmo staff 0 Sep 30 19:53 file
>
> all looks fine here uid=3Djoeschmoe gid=3Dstaff
>
> Move to /tmp and do the same thing.=20
> This is the first thing I find odd is the file is now=20
> uid=3Djoeschmoe and gid=3Dwheel instead of gid=3Dstaff.=20
>
> [osxinsightrrcom:~] joeschmo% cd /tmp
> [osxinsightrrcom:/tmp] joeschmo% touch file=20
> [osxinsightrrcom:/tmp] joeschmo% ls -al file
> -rw-r--r-- 1 joeschmo wheel 0 Sep 30 20:05 file
>
> Now lets try an ln because its even weirder. Now perms are=20
> uid=3Droot gid=3Dwheel which makes no sense to me.=20
> ( I was attempting to exploit man so don't mind the file names)=20
>
> [osxinsightrrcom:/tmp] joeschmo% ln -s /etc/issue man.000112
> [osxinsightrrcom:/tmp] joeschmo% ls -al man.000112
> lrwxrwxrwt 1 root wheel 10 Sep 30 20:07 man.000112 -> /etc/issue
>
> Same command in my home dir. Whats the deal here? Why is it=20
> uid=3Djoeschmoe and gid=3Dstaff here but not in /tmp
> [osxinsightrrcom:~] joeschmo% ln -s /etc/issue man.000112
> [osxinsightrrcom:~] joeschmo% ls -al man.*
> lrwxr-xr-x 1 joeschmo staff 10 Sep 30 20:10 man.000112 -> /etc/issue
>
> /tmp is a Symbolic link to /private so lets see what it looks like
> [osxinsightrrcom:/private/cores] joeschmo% ls -al /tmp
> lrwxrwxr-t 1 root admin 11 Sep 30 19:12 /tmp -> private/tmp
> [osxinsightrrcom:/private/cores] joeschmo% ls -al /private/
> total 0
> drwxr-xr-x 7 root wheel 194 Sep 30 13:31 .
> drwxrwxr-t 26 root admin 840 Sep 30 19:12 ..
> drwxr-xr-x 3 root wheel 264 Apr 27 08:30 Drivers
> drwxrwxrwt 3 root wheel 58 Sep 30 20:12 cores
> drwxr-xr-x 59 root wheel 1962 Sep 29 16:51 etc
> drwxrwxrwt 7 root wheel 194 Sep 30 20:07 tmp
> drwxr-xr-x 17 root wheel 534 Sep 30 13:31 var
>
> cores and tmp seem to have the same perms so the same issue applys
> there =
> also
> [osxinsightrrcom:/private/cores] joeschmo% ln -s /etc/issue man.000112
> [osxinsightrrcom:/private/cores] joeschmo% ls -al man.*
> lrwxrwxrwt 1 root wheel 10 Sep 30 20:12 man.000112 -> /etc/issue
>
> Can anyone tell me whats going on here?=20
>
> -KF
>
>
> --Apple-Mail-1355773572-2--
>
> --Apple-Mail-763401367-1--
>
Received on Oct 02 2001
Intro
