Path: utzoo!attcan!uunet!mcsun!ukc!pyrltd!tetrauk!paul
From: paul@tetrauk.UUCP (Paul Ashton)
Newsgroups: comp.unix.sysv386
Subject: Re: setluid(0) in SCO ?
Keywords: Defeat SCO C2 Security
Message-ID: <738@tetrauk.UUCP>
Date: 25 Sep 90 10:03:01 GMT
References: <1990Sep20.163355.7147@robobar.co.uk>
Reply-To: paul@tetrauk.UUCP (Paul Ashton)
Organization: Tetra Ltd., Maidenhead, UK
Lines: 39

I originally sent this to comp.unix.xenix.sco but the distribution was eunet,
however it may be useful.

---
In article <2434@maestro.htsa.aha.nl> fransh@maestro.htsa.aha.nl (Frans van Hattem) writes:
>I'm trying to use 'ct' under SCO UnixV.3.2 but it won't work?; :-(
>Everything goes well, but when I have to login again (after I'v been called back) I get an error:
>	"Bad login user id"

When login runs it expects to be able to call setluid(S) to set the immutable
login user id, which can never after be changed. Unfortunately since your
luid has already been set, this will fail and bomb out.

The only solution would seem to be (this is what you also need to do if
you kill cron off and restart it) :-
add a line to /etc/inittab (and /etc/conf/cf.d/init.base)

nolu:a:once:/bin/sh < /dev/tty01 >/dev/tty01 2>&1

then on tty01 as root type "init a;sleep 60"
you will then have an interactive shell with no luid so you can then
try running your ct.
---

some other points to add since I sent that:-
In the release notes, it does say that ct does not work yet.
With no luid you can su to anyone at all and spawn other processes (don't forget
you've only 60 seconds!).

However the point is that since root has unbridled control of the system, there
is no point in preventing a process with an euid of 0 performing setluid. Once
you are root you can cover up *ANY* tracks at all (unless there are hardware
audits, such as hardcopy printers or one-way comms links) so why try and pretend
that you can audit the initial login id of a process that became root? You
can't.
--
Paul