Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!rbj
From: rbj@uunet.UU.NET (Root Boy Jim)
Newsgroups: comp.unix.internals
Subject: Re: becoming root via NFS
Message-ID: <114827@uunet.UU.NET>
Date: 19 Dec 90 04:51:08 GMT
References: <4627@pkmab.se> <4088@osc.COM> <111544@convex.convex.com>
Organization: UUNET Communications Services, Falls Church, VA
Lines: 29

In article <111544@convex.convex.com> tchrist@convex.COM (Tom Christiansen) writes:
? It's really pretty easy to become root on the server if you can 
? become root on the workstation.  Become a non-root user who can create
? a directory.  Create a directory on the server that's mode 777.  Now
? go back to root and go to this directory, which you can write although
? the files will be owned by user ((unsigned short) -2).

I follow you so far, but...

? Do a mknod 
? giving it the major,minor numbers of /dev/mem on the server,
? not the workstation.

Um, only root can do a mknod, `nobody' can't.

? Make it mode 666.  Return to the server as a normal
? user, adb your new /dev/mem device and scribble at will.  My favorite 
? scribble is to punch the uid of my shell to be 0 in the proc structure.

I tried this another way. Entice someone to mount a filesystem from
your machine. Then, as root on your own machine, do a mknod. Get onto
the server as a regular user and access the device. But wait! Devices
don't work across NFS! So no good there either.

? Tom Christiansen		tchrist@convex.com	convex!tchrist
-- 

	Root Boy Jim Cottrell <rbj@uunet.uu.net>
	Close the gap of the dark year in between