Path: utzoo!attcan!uunet!cs.utexas.edu!helios!skdutta
From: skdutta@cs.tamu.edu (Saumen K Dutta)
Newsgroups: comp.unix.internals
Subject: Re: Getting to root when the password has been lost
Message-ID: <9101@helios.TAMU.EDU>
Date: 14 Oct 90 22:50:59 GMT
References: <12@tdatirv.UUCP> <1990Oct10.150848.3143@holos0.uucp> <1990Oct14.132119.27827@athena.mit.edu>
Sender: usenet@helios.TAMU.EDU
Organization: Computer Science Department, Texas A&M University
Lines: 35

In article <1990Oct14.132119.27827@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes:
->|> anyway, I did a find and found a file that was setuid,
->|> belonged to root, and was writable by me.  I wrote a small 'C' program to
->|> change the permissions on /etc/passwd to rw-rw-rw (temporarily, of course),
->|> linked the program, cat'ted that into the setuid file, and voila.
->
->From the man page write(2) on my BSD 4.3 (well, actually, IBM AOS, but it's
->close enough) system:
->
->     If the real user is not the super-user, then write clears
->     the set-user-id bit on a file.  This prevents penetration of
->     system security by a user who captures a writable set-user-
->     id file owned by the super-user.
->
->I consider this to be a very important security feature; the fact that you
->were able to use its absence to break into root, after obtaining only access
->to a generic non-root account, is good evidence of this.  Does the NCR Tower
->not have this in its kernel (if so, I would complain to your vendor!!)?
->

In a different context I found that this feature is not implemented in
uucp. Sometime back I used to work on SCO-XENIX 2.2.1 and while sending
mails through UUCP, I noticed that if the sender machine sends a file
with set-uid on, the file is stored in the destination machine with
set-uid on. This may be considered as a security breach as an ordinary
user can have access to all uucp files on the remote machine. I would like
to know if other unix versions also permits the same.

Thanks

--
     _                                   ||Internet: skdutta@cssun.tamu.edu  
    (   /_     _ /   --/-/- _            ||Bitnet : skd8107@tamvenus.bitnet 
   __)_/(_____(_/_(_/_(_(__(_/_______    ||Uucp : uunet!cssun.tamu.edu!skdutta
                                 ..      ||Yellnet: (409) 846-8803