Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!wuarchive!emory!wa4mei!holos0!wdh
From: wdh@holos0.uucp (Weaver Hickerson)
Newsgroups: comp.unix.internals
Subject: Re: Getting to root when the password has been lost
Message-ID: <1990Oct15.185753.7772@holos0.uucp>
Date: 15 Oct 90 18:57:53 GMT
References: <12@tdatirv.UUCP> <1990Oct10.150848.3143@holos0.uucp> <1990Oct14.132119.27827@athena.mit.edu>
Organization: Holos Software, Inc., Atlanta, GA
Lines: 33
Eepeep: WHAT, Noname?

In article <1990Oct14.132119.27827@athena.mit.edu> jik@athena.mit.edu (Jonathan I. Kamens) writes:
>In article <1990Oct10.150848.3143@holos0.uucp>, wdh@holos0.uucp (Weaver Hickerson) writes:
>|> anyway, I did a find and found a file that was setuid,
>|> belonged to root, and was writable by me.  I wrote a small 'C' program to
>|> change the permissions on /etc/passwd to rw-rw-rw (temporarily, of course),
>|> linked the program, cat'ted that into the setuid file, and voila.
>
>From the man page write(2) on my BSD 4.3 (well, actually, IBM AOS, but it's
>close enough) system:
>
  [ Stuff about how BSD write(2) turns off setuid bit deleted ]

>I consider this to be a very important security feature; the fact that you
>were able to use its absence to break into root, after obtaining only access
>to a generic non-root account, is good evidence of this.  Does the NCR Tower
>not have this in its kernel (if so, I would complain to your vendor!!)?
>

 Interesting.  I've never seen any mention of this in SysV documentation.  I 
 just checked SCO Xenix  -- no mention.  I did the deed on my Xenix box, 
 voila  SUID file owned by root, rwsrwxrwx, now contains my own program.  
 (First I had to use root privilege to create the file, of course.  None 
 lying around, by any means :)  My account is "generic non-root", since my 
 UID is not 0.

 Is that security feature part of SVID at all, or just BSD??  (It is a good 
 idea, since it protects some administrators from themselves)

 Postscript is a trademark of Adobe Systems...

 Weaver
-- 
-Weaver Hickerson   Voice (404) 496-1358   :  ..!edu!gatech!holos0!wdh