Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!zaphod.mps.ohio-state.edu!unix.cis.pitt.edu!dsinc!bagate!cbmvax!cbmehq!cbmswe!prophet!karl From: karl@prophet.UUCP (Karl-Gunnar Hultland) Newsgroups: comp.unix.amiga Subject: Re: interesting feature on AMIX.. Message-ID: Date: 27 Jun 91 03:21:48 GMT References: <13706@mentor.cc.purdue.edu> <1991Jun19.204906.19339@dvorak.amd.com> <426@hfsi.UUCP> <1991Jun21.201119.722@ckctpa.UUCP> <431@hfsi.UUCP> Lines: 31 >In article <431@hfsi.UUCP> frank@hfsi.UUCP (Frank McPherson) writes: >In article <1991Jun21.201119.722@ckctpa.UUCP> crash@ckctpa.UUCP (Frank J. Edwards) writes: >>Suppose I make a floppy on my machine and put a copy of ksh on it. Then >>I make that ksh set-uid to root and mount it on your system. I execute >>that ksh and viola! I get the "#" prompt... >> >Would you have to meddle around with the KSH to make it set-uid to root? >My point here is, if you started up a ksh, even if from your own file >system, shoudn't it disallow you to setuid to root? If not, that is a >pretty serious security hole in the way we're doing things. I'm not >sure that it really MATTERS, because the machines aren't incredibly >important anyway, and there aren't any overwhelming reasons for someone >to want root access on one of them, other than just saying they did it. > If I OWN an own A3000 running UNIX the I could easy make a set-uid root ksh on a floppy. That's not REALLY a security hole. Karl --- Karl Hultland, {rutgers | pyramid | uunet}!cmbvax!cbmehq!cbmswe!prophet!karl Organization: Mine all mine. Egoist: a person of low taste, more interested in himself than in me. - A. Bierce