Path: utzoo!mnetor!uunet!husc6!bloom-beacon!tut.cis.ohio-state.edu!mailrus!ames!ncar!oddjob!gargoyle!att-ih!ihnp4!ihlpf!nevin1 From: nevin1@ihlpf.ATT.COM (00704a-Liber) Newsgroups: comp.bugs.sys5 Subject: Re: A security hole Message-ID: <4209@ihlpf.ATT.COM> Date: 30 Mar 88 22:32:15 GMT References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP> <7521@ncoast.UUCP> <130@heart-of-gold> Reply-To: nevin1@ihlpf.UUCP (00704a-Liber,N.J.) Organization: AT&T Bell Laboratories - Naperville, Illinois Lines: 32 In article <130@heart-of-gold> jc@heart-of-gold (John M Chambers x7780 1E342) writes: .OK, I'll bite. Here are the permissions on my home directory and .login: . .drwxrwxr-x 21 jc wheel 2560 Mar 24 08:30 . .-rw-r--r-- 2 jc wheel 250 Jan 29 14:53 .login . .And here's the rnews command: . .22531 -rwsr-sr-x 2 news news 114688 Mar 17 13:33 /news/bin/rnews . .Explain to me how someone could use this setuid-news, setgid-news program .to write into my .login file. Now need to explain further; I do appreciate .why I wouldn't want you to do that. But I don't quite see how this setup .makes it possible. It is not possible for someone to *directly* abuse this to write to your (uid=jc, gid=wheel) .login file. However, someone may be able to abuse rnews and become uid=news, gid=news. They would then have access to all of news's files. This is where the security break is. BTW, some time ago I saw a file with the following permissions: -rwsrwsrwx foo bar somefile From a security standpoint, what's wrong with this picture?? (Please DON'T post answers to this question; it is merely rhetorical.) -- _ __ NEVIN J. LIBER ..!ihnp4!ihlpf!nevin1 (312) 510-6194 ' ) ) "The secret compartment of my ring I fill / / _ , __o ____ with an Underdog super-energy pill." / (_