Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uwm.edu!ux1.cso.uiuc.edu!edotto
From: edotto@ux1.cso.uiuc.edu (Ed Otto)
Newsgroups: comp.unix.admin
Subject: Re: Possible security problem, need information...
Message-ID: <1991Mar20.165442.7210@ux1.cso.uiuc.edu>
Date: 20 Mar 91 16:54:42 GMT
References: <1991Mar18.200957.166@gacvx2.gac.edu>
Organization: University of Illinois at Urbana
Lines: 25

dan@gacvx2.gac.edu writes:

>Greetings,
> 
>Is there anything inherently evil giving world write access to the "root" (aka
>"/") directory on a BSD 4.3 UNIX system?  The exact permission with the command
>"ls -ld /" is "drwxrwxrwt".  I have been thinking about it for a few hours now
>and the worst thing I have come up with is writing "rc" files that the
>unsuspecting "root" user could execute and the .rhosts file could be created if
>it didn't already exist.  For readers who are about to write back and tell it
>it is a bad idea, I have already figured that out.  However the operating
>system I am dealing with ships with the protection set this way. Setting the
>protection correctly would disable a major feature of this vendors OS.  Feel
>free to use e-mail or phone to respond.  This information is to be used in a
>bug report to the vendor which they will hopefully forward to CERT if
>necessary.

What machine is this?  I want to overwrite their operating system with one of myown...

But seriously,I think that this is not a problem as mine is the same way.
I think that world MUST have write access to the root fs, because otherwise
I don't think that you could write ANYTHING on the entire file system unless
you were logged in as 'root'...

If not, will someone please tell ME so I can change mine, too?