Path: utzoo!mnetor!uunet!husc6!rutgers!mtunx!whuts!homxb!hropus!jgy
From: jgy@hropus.UUCP (John Young)
Newsgroups: comp.unix.wizards
Subject: Re: Guide to writing secure setuid programs?
Message-ID: <99@hropus.UUCP>
Date: 29 Mar 88 16:10:49 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <1037@woton.UUCP> <386@vsi.UUCP> <347@wsccs.UUCP> <469@fornax.UUCP>
Organization: Bell Labs, Holmdel, NJ
Lines: 32

> In article <347@wsccs.UUCP>, terry@wsccs.UUCP (terry) writes:
> >
> >	[ remarks on previous articles suppressed]
> > 
> > 	1) if /usr/spool/mail is writeable and on the same device as /etc:
> > 
> > 		$ ln /etc/passwd /usr/spool/mail/fred
> > 		$ echo "sneak::0:1:A hacker:/:/bin/sh" | mail fred
> > 		$ su fred
> > 		#
> 
> I tried this out on a Sun running 3.4. It don't work. 
> Mail is evidently smart enough to check for the existence of 
> the addressee, either locally or through the Yellow Pages.
> 
> I don't see as it matters whether /etc/passwd and the mail
> directory are on the same file system.
> 

OK.  Just take a look at the crontabs entries, /etc/rc entries,
/etc/backup_stuff entries and so on and so on (temp files for
ps, sar, etc....) for any refrences to files in /tmp or /usr/tmp.
Link the /etc/passwd file to that /tmp/file and either run the
command or wait for cron/root to run it for you!  BANG there goes
the password file!  If you pick the right utility, it will change
the modes so you can make your own entries.
SYSV's sticky directory bit's will do nothing for this.

The answer,  keep the /etc on a filesystem which does not need
contain directories writeable by "normal"(abnormal?) users.
Ideally, of course the whole root fs would be write protected
while in multi-user.