Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!hplabs!decwrl!labrea!rutgers!mailrus!cornell!uw-beaver!rice!sun-spots-request
From: steve@umiacs.umd.edu (Steven D. Miller)
Newsgroups: comp.sys.sun
Subject: Re: Yet another finger hole
Message-ID: <8811281958.AA16132@fnord.umiacs.UMD.EDU>
Date: 11 Dec 88 22:52:49 GMT
Sender: usenet@rice.edu
Organization: Rice University, Houston, Texas
Lines: 21
Approved: Sun-Spots@rice.edu
Original-Date: Mon, 28 Nov 88 14:58:41 EST
X-Sun-Spots-Digest: Volume 7, Issue 43, message 8 of 15

If someone can get to, and become root on, an untrusted machine that can
mount your /usr/etc read-write, they can do a lot of things that will end
up with their gaining root access to your machine.  (This is why we manage
our exports files carefully, and why on untrusted machines we use a hacked
/etc/init that won't boot single-user without being given the root
password.)

The scenario that you describe will indeed allow such an intruder to gain
root access to your system.  I think the change you suggest will work to
foil such methods of intrusion.  I suspect that this sort of shenanigans
could be pulled on almost any network server, not just fingerd, so long as
that utility is owned by someone other than root.  The best fix is to use
a 4.3-style inetd.conf, but that's only an option for those running SunOS
4.0...

Thanks for pointing this out.

	-Steve

Spoken: Steve Miller    Domain: steve@mimsy.umd.edu    UUCP: uunet!mimsy!steve
Phone: +1-301-454-1808  USPS: UMIACS, Univ. of Maryland, College Park, MD 20742