Path: utzoo!attcan!utgpu!jarvis.csri.toronto.edu!rutgers!tut.cis.ohio-state.edu!ucsd!sdcc6!sdcc13!pa1034
From: pa1034@sdcc13.ucsd.EDU (The Evil)
Newsgroups: comp.unix.wizards
Subject: Re: Is there an FSDB Manual?
Message-ID: <1288@sdcc13.ucsd.EDU>
Date: 10 Oct 89 03:01:16 GMT
References: <1221@virtech.UUCP> <4960@cbnewsm.ATT.COM> <572@pd1.ccd.harris.com> <889@uniol.UUCP> <890@uniol.UUCP>
Reply-To: pa1034@sdcc13.ucsd.edu.UUCP (The Evil(tm) One)
Distribution: comp
Organization: Univ. of California, San Diego
Lines: 27

In article <890@uniol.UUCP> lehners@uniol.UUCP (Joerg Lehners) writes:
>Executables without special privileges (ie. without s-bits) should
>never be security holes.
>Are such beast around ? If so if would like to hear about such things.

Any program which is publicly executable can potentially be a security
hole.  A program can be non-SUID and still have code like:
	{
		exec shell to cp /bin/sh /tmp/sushi.
		Now that the /tmp/sushi is owned by current owner,
		  do a chmod 6777 on it.
	}  
Surprise! the user now has the privileges of whoever runs this program.
if root runs it, BIG SURPRISE!!!

If someone gets superuser privileges he can change, or rewrite some of
the more common utilities to bestow privileged SUID bits on shell programs
when the corresponding user uses the program.  (e.g.  whenever root
does an 'ls' now, he unknowingly creats a root trap door for an intruder.)

Of course, don't leave programs open to the public.  (Then they don't need
root privilege to do this.)

>/ Joerg Lehners                       | Fachbereich 10 Informatik ARBI   \

John Marco
pa1034@iugrad2.ucsd.edu