Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Posting-Version: version B 2.10.2 9/18/84; site eagle.UUCP Path: utzoo!watmath!clyde!burl!ulysses!eagle!mjs From: mjs@eagle.UUCP (M.J.Shannon) Newsgroups: net.micro.att Subject: Re: S-bit set on UnixPC mv Message-ID: <1307@eagle.UUCP> Date: Fri, 2-Aug-85 11:14:39 EDT Article-I.D.: eagle.1307 Posted: Fri Aug 2 11:14:39 1985 Date-Received: Sat, 3-Aug-85 05:39:10 EDT References: <1284@cwruecmp.UUCP> <2511@sun.uucp> <1285@cwruecmp.UUCP> Organization: AT&T Bell Laboratories, Summit, NJ Lines: 50 > I don't know either but one thing is true: with our version of /bin/mv > I as an ordinary user can mv ANYTHING ANYWHERE I want it. For you non- > believers try moving passwd to you directory then have everyone log out. > > >> With this, all a user need do is copy the passwd file to their own directory > >> edit, and remove the passwd field, and then mv it back and then su to root. > > > >If it's the S5R1 "mv", you can *try* to "mv" the passwd file back - but > >you'll fail. > > One question: Do you think I wrote this without trying it out? IT WORKS. > > >> To remove this "feature" just chmod -s /bin/mv and it will be taken care of. > > > >And (if it's the S5R1 "mv") discover that you can't rename directories any > >more. > > And users will never pester the system manager for mounting disks again, > they'll be able to do it themselves. > > I apologize to Guy if I'm a little perturbed, but evidently he doesn't > have access to a Unix pc which my letter was about, not diffs in S5R1, BSD, > S5R2 or V7. It was about what I could do on a Unix Pc with no privileges > except login. If you have tried this on a Unix Pc, with the unmodified > software and it doen't work then post articles And send me letters making > me look like a fool. > > william robertson usenet: decvax!cwruecmp!rob Yes, you are inordinately perterbed, and your flame (er, um, article) shows this extremely well. As has been pointed out before (in at least 3 articles that I've seen), the reason J.Random User can use mv to diddle the passwd file is that, as shipped, the directory /etc (and several others as well, including / itself) have read, write, and execute permission for anyone. Since /etc is writable, any file may be removed from there and replaced by any user. To put things right on your machine, you must "chmod go-w /etc" as root (and restore the setuid bit on /bin/mv, if you've unset it). I have done this on my UNIX PC, and random users can no longer nuke the precious files in /etc at whim. To reiterate: the setuid bit on /bin/mv is necessary to allow users to rename directories. There are several directories on the UNIX PC which, as shipped, are disastrous for secure machines (not that you can have security on a machine that has a data line enabled). Before you flame again, please perform the exercise I indicate in this article, and mail me the results. You should then make a public apology to the net. -- Marty Shannon UUCP: ihnp4!eagle!mjs Phone: +1 201 522 6063 Warped people are throwbacks from the days of the United Federation of Planets.