Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!uwm.edu!bionet!agate!ucbvax!bloom-beacon!eru!hagbard!sunic!mcsun!hp4nl!duteca!wolff
From: wolff@duteca (Roger Wolff)
Newsgroups: comp.os.minix
Subject: Re: Security hole ?!
Message-ID: <1282@duteca.UUCP>
Date: 17 Apr 91 16:48:32 GMT
References: <50276@nigel.ee.udel.edu>
Organization: Delft University of Technology, Netherlands
Lines: 20

HBO043%DJUKFA11.BITNET@cunyvm.cuny.edu (Christoph van Wuellen) writes:

>On UNIX, you can e.g. remove files beloging to other users if they reside
>in /tmp

>Check if this is the case in your case (?)

Well, there is the S_ISVTX (sticky) bit that can be set on a directory
This will prevent this. This does not work on every unix system,
and many system administrators will not bother to set the bit on
/tmp and /usr/spool/mail but at least on suns. 
As a real security leak: our system administrator has a script that 
will put the password entry of a new user into /tmp/.newpasswd and
then rsh machine 'cat >> /etc/passwd' </tmp/.newpasswd to add the 
user to other machines. This is a security leak as soon as the 
specific bit is off: one could wait for a new user to be added, and
quickly copy the old one, append your own root account, delete the 
old one and insert your new entry! 

						Rogier.