Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uunet!fub!tmpmbx!scuzzy!src
From: src@scuzzy.in-berlin.de (Heiko Blume)
Newsgroups: comp.unix.sysv386
Subject: Re: SECURITY BUG IN INTERACTIVE UNIX SYSV386
Keywords: BAD BUG
Message-ID: <1991Feb15.115243.7883@scuzzy.in-berlin.de>
Date: 15 Feb 91 11:52:43 GMT
References: <KR3NBQQ@dobag.in-berlin.de> <483@stephsf.stephsf.com> <1991Feb13.221259.1462@scuzzy.in-berlin.de> <1991Feb14.201602.21248@kith
Organization: Contributed Software
Lines: 20

sef@kithrup.COM (Sean Eric Fagan) writes:

>In article <1991Feb13.221259.1462@scuzzy.in-berlin.de> src@scuzzy.in-berlin.de (Heiko Blume) writes:
>>not exactly, for public access to my source archive i've set up
>>a chroot() user that can't write anywhere, unhackable :-)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^

>Sorry, that's not the case.  Once you've got root access, you can go through
>and do lots of nasty things, including setting u.u_rdir to something useful,
>like '/'.  Figuring out how to do so is left as an excercise for the reader.

once you've got root access, yes, but you can get root access.
the only thing that that user can do is *read* files, nothing else.
the only commands available are ls, sz, zmore and tar. try figuring
out how to become root with this as a long lasting excercise.
-- 
      Heiko Blume <-+-> src@scuzzy.in-berlin.de <-+-> (+49 30) 691 88 93
                    public source archive [HST V.42bis]:
        scuzzy Any ACU,f 38400 6919520 gin:--gin: nuucp sword: nuucp
                     uucp scuzzy!/src/README /your/home