From owner-freebsd-questions  Fri Dec 18 06:37:33 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA14885
          for freebsd-questions-outgoing; Fri, 18 Dec 1998 06:37:33 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from smtp3.erols.com (smtp3.erols.com [207.172.3.236])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA14878
          for <questions@FreeBSD.ORG>; Fri, 18 Dec 1998 06:37:22 -0800 (PST)
          (envelope-from graeme@echidna.com)
Received: from win95.echidna.com (inet.erols.com [209.122.117.150])
	by smtp3.erols.com (8.8.8/8.8.5) with SMTP id JAA29892;
	Fri, 18 Dec 1998 09:37:09 -0500 (EST)
Message-ID: <367A68E2.6255@echidna.com>
Date: Fri, 18 Dec 1998 09:38:26 -0500
From: Graeme Tait <U@webcom.com>
Organization: Echidna
X-Mailer: Mozilla 2.02 (Win95; I)
MIME-Version: 1.0
To: "Bond, Jeffery" <Jeff.Bond@nectech.co.uk>
CC: "'FreeBSD questions'" <questions@FreeBSD.ORG>,
        "'cjc@cc942873-a.ewndsr1.nj.home.com'" <cjc@cc942873-a.ewndsr1.nj.home.com>
Subject: Re: Basic Security Question
References: <084DD226F592D211988800A024AC583B02B783@exchange.nectech.co.uk>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Bond, Jeffery wrote:
> 
> >Mark Ovens wrote,
> >
> >> and on all the Sparcs running SunOS4.1.3_U1 here are:
> >>
> >> gppsun4:/{8}% ls -ldug etc
> >> drwxrwsrwx 10 bin      staff        2048 Dec 17 09:30 etc
> >>
> >> which is even less secure as it's writable by all!
> >
> >I may be dense. Is that some kind of joke or something? As dense as I
> >am, I know for sure that even I could take any account on a system
> >with permissions like that and have control of root in this many
> >keystrokes:
> >
> >% cd /etc
> >% echo "root::0:0:Evil Root:/:/bin/csh" > passwd.new
> >% mv passwd passwd.old
> >% mv passwd.new passwd
> >% su
> >#
> 
> Just because the directory is writable, this doesnt mean the existing files
> in it are too. You won't be able to do 'mv passwd passwd.old'.


As I understand it, file delete and creation are controlled by the 
permissions of the *containing* directory, not the file permissions.

It's obvious enough it has to be that way for creation, as there is no file 
to have permissions, and logically, what you can (not) create, you should 
(not) be able to delete. If a file lacks write permission for the relevant 
user/group/other category, you will get a warning on deletion if the 
appropriate directory permission is write, but the warning can be overidden.

The mv command is possible as stated above.

But the hack given didn't work for me - is that because you need to fiddle 
master.passwd? What about the pwd.db file?


-- 
Graeme Tait - Echidna

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message