Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!sdd.hp.com!spool.mu.edu!snorkelwacker.mit.edu!bloom-beacon!eru!hagbard!sunic!mcsun!hp4nl!star.cs.vu.nl!henk From: henk@cs.vu.nl (Henk Smit) Newsgroups: comp.unix.admin Subject: Re: Possible security problem, need information... Message-ID: <9385@star.cs.vu.nl> Date: 20 Mar 91 21:42:37 GMT Article-I.D.: star.9385 References: <1991Mar18.200957.166@gacvx2.gac.edu> <1832@svin02.info.win.tue.nl> Sender: news@cs.vu.nl Lines: 37 debra@wsinis03.info.win.tue.nl (Paul de Bra) writes: >In article <1991Mar18.200957.166@gacvx2.gac.edu> dan@gacvx2.gac.edu writes: >>Is there anything inherently evil giving world write access to the "root" (aka >>"/") directory on a BSD 4.3 UNIX system? The exact permission with the command >>"ls -ld /" is "drwxrwxrwt". >Let's see, a user could: >- remove the kernel (/vmunix or /unix) so you cannot reboot after a crash >- mv /dev /somethingelse so all devices are unknown (inluding the tty's > so noone can log on...) >- mv /etc /somethingelse and then mkdir /etc, create your own /etc/passwd... This would be possible if the permission on / was "drwxrwxrwx", but it is not ! The "t" (sticky bit) on directories means that you must not only have write permission on the directory, but also be the owner of the file (or directory) that you want to (re)move. The only problem I can see sofar, is if /etc/rc.local contains some lines like if [ -f /somepackage/bin/daemon ] then /somepackage/bin/daemon; echo "somepackage started" fi If "somepackage" is not installed, JoeUser can make his own /somepackage/bin/daemon and wait untill the machine reboots. But most software I have seen lives in "/usr/somepackage", so I guess this will not be a problem. How strange it seems, I can't see an obvious security gap in "drwxrwxrwt" on /. Henk. -- Henk Smit Vrije Universiteit Amsterdam Internet: henk@cs.vu.nl Faculteit Informatica kamer S4.10 Phone: +31 20 548 6218