Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP
Path: utzoo!mnetor!seismo!gatech!cuae2!ltuxa!ttrdc!levy
From: levy@ttrdc.UUCP (Daniel R. Levy)
Newsgroups: net.unix-wizards
Subject: Re: write clears setuid in BSD
Message-ID: <1291@ttrdc.UUCP>
Date: Tue, 4-Nov-86 01:31:31 EST
Article-I.D.: ttrdc.1291
Posted: Tue Nov  4 01:31:31 1986
Date-Received: Wed, 5-Nov-86 21:08:54 EST
References: <115@tijc02.UUCP> <735@hropus.UUCP> <1040@ho95e.UUCP> <8616@sun.uucp> <700@copper.UUCP>
Organization: AT&T, Computer Systems Division, Skokie, IL
Lines: 37

In article <700@copper.UUCP>, stevesu@copper.UUCP (Steve Summit) writes:
>In article <8616@sun.uucp>, guy@sun.uucp (Guy Harris) writes:
>> >     Anyway, if a setuid program overwrites itself, it is no longer setuid!
>> It says this *in the 4BSD manual page for write(2)*; this is a Berkeleyism.
>> I consider it to be an airbag;...
>I think this airbag solves a significant class of potential
>security problems...
>/usr/bin/uniq was setuid
>root!
>But since uniq happens to take an output
>filename argument, I could have parlayed that hole into a general
>one, by using the incongrously setuid uniq to scribble a
>genuinely useful program (like /bin/sh) onto a previously setuid
>program (like /bin/passwd).

Right in principle; in practice I'd think you'd have a hard time getting
uniq to pass a binary file :-).  Still, a point well taken.

>It's true that limited write ability could still be used to
>scribble on /etc/passwd (which is less desirable for a hacker's
>purpose due to console log messages for su's), and to do a few
>more subtle tricks (which I think I won't mention).
>                                         Steve Summit

While su's may show up on the console, does it show up on the console in
BSD if a user simply logs in to an account (other than root) which shows
a UID of 0 in /etc/passwd?   SysV doesn't allow direct login to a UID 0
account except at the console, but I don't have a BSD system to try this
with.
-- 
 -------------------------------    Disclaimer:  The views contained herein are
|       dan levy | yvel nad      |  my own and are not at all those of my em-
|         an engihacker @        |  ployer or the administrator of any computer
| at&t computer systems division |  upon which I may hack.
|        skokie, illinois        |
 --------------------------------   Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa,
	   go for it!  			allegra,ulysses,vax135}!ttrdc!levy