Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!uwm.edu!ogicse!unmvax!bbx!yenta!dt From: dt@yenta.alb.nm.us (David B. Thomas) Newsgroups: comp.sys.3b1 Subject: Re: 3b1 security and removal of ua Keywords: ua security Message-ID: <1991Apr10.054606.26116@yenta.alb.nm.us> Date: 10 Apr 91 05:46:06 GMT References: <375@unx-pc.UUCP> <927@jonlab.UUCP> Organization: yenta unix pc, rio rancho, nm Lines: 43 jon@jonlab.UUCP (Jon H. LaBadie) writes: >EXCEPT, one of the arguments to eprintf(3T) is what to do when the >user clicks on the icon. And one of the possibilities is ST_EXEC; >execute a program!!! >Guess which user id, and in which directory the program is executed; >You security hounds are right: by root and in the root directory. Actually, with the stock /etc/rc script, the current directory is /etc/lddrv when /etc/smgr is started. smgr is the program that reads /dev/error and puts up the icon, and it is to blame for the hole. Lenny Tropiano was aware of this hole in a slightly different form: if smgr puts up an envelope, indicating you have mail, and you click on the icon, it starts up /bin/main, as root, with /etc/lddrv as the current directory. Imagine my confusion when, after typing "s" to save a mail message, it wasn't in my home directory, but instead was eventually found, owned by root, in /etc/lddrv!! Anyway, Lenny's solution was to write his own email program, which takes care of the permissions and stuff. It's called email, and it's in osu-cis. >So, essentially, anyone with access to your C compiler has access to >your entire machine! As someone else already pointed out, they have to get at the console to exploit this hole, and anyone with access to your console can boot it from a floppy and do anything they want!! I don't use smgr anyway. It's handy, but now that I have mgr, I can cheerfully say goodbye to wind.o and everything associated with it. Hmmm.... anybody know if I can remove the tam stuff from the shared library. Since I don't load the window driver I can't possibly use it. By the way, my mgr hacks are coming along. Soon, I expect to release some diffs so it blanks automatically after a period of time, and I'm working on some faster bit blits in assembler. This baby oughta scream! little david -- Robert Thomas, speaking of good software for Unix vs. MsDos: "Quality is either the result of a whole lot of dedication, or it's a thin layer of cream on top of a whole lot of milk."