Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Posting-Version: version B 2.10.2 9/18/84 SMI; site sun.uucp
Path: utzoo!linus!philabs!prls!amdimage!amdcad!decwrl!sun!guy
From: guy@sun.uucp (Guy Harris)
Newsgroups: net.micro.att
Subject: Re: S-bit set on UnixPC mv
Message-ID: <2511@sun.uucp>
Date: Sun, 28-Jul-85 01:03:51 EDT
Article-I.D.: sun.2511
Posted: Sun Jul 28 01:03:51 1985
Date-Received: Tue, 30-Jul-85 04:52:48 EDT
References: <1284@cwruecmp.UUCP>
Organization: Sun Microsystems, Inc.
Lines: 33

> A friend of mine noticed this, but the way at&t ships the Unix Pc software,
> the set uid bit on /bin/mv is set, and it is owned by root.  He seems to
> think that this is a "back door" for the telephone support people, but it's
> a giant security breach, especially to those people at&t is trying to market
> to, business people who know little or nothing about Unix.

I got news for you guys; "/bin/mv" is set-UID root on V7, System III,
4.1BSD, and System V Release 1.  This is necessary because, except on 4.2BSD
where you can use the non-privileged "rename" system call, you must rename
directories by doing a "link" of the new name to the old name and an
"unlink" of the old name, and "link"s to and "unlink"s of directories are
privileged operations.  S5R2 has a separate set-UID program to do moving of
directories.  "mv" in all the non-4.2BSD/non-S5R2 systems gives up its
set-UID privileges as soon as it figures out that it's not moving a
directory; if it *is* moving a directory, it does all the requisite
permissions checking itself.

I don't know how much of the System V in the 7300's UNIX is S5R2 (where they
have a separate-UID program to move directories), but it may not have the
S5R2 "mv".

> With this, all a user need do is copy the passwd file to their own directory
> edit, and remove the passwd field, and then mv it back and then su to root.

If it's the S5R1 "mv", you can *try* to "mv" the passwd file back - but
you'll fail.

> To remove this "feature" just chmod -s /bin/mv and it will be taken care of.

And (if it's the S5R1 "mv") discover that you can't rename directories any
more.

	Guy Harris