Date: Sun, 03 Aug 1997 12:02:51 -0700 From: "Jordan K. Hubbard" <jkh@time.cdrom.com> To: "Jonathan A. Zdziarski" <jonz@netrail.net> Cc: security@FreeBSD.ORG Subject: Re: setuid shutdown? Message-ID: <2950.870634971@time.cdrom.com> In-Reply-To: Your message of "Sun, 03 Aug 1997 10:05:45 -0000." <Pine.BSF.3.95q.970803100305.4197B-100000@netrail.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> I just realized that my version of freebsd 2.2.2 installs with a > set-uid-root shutdown command allowing anybody who wants to to shutdown or > reboot the server. Obviously I removed the bits, and got rid of the Uh, no, that's not correct. Shutdown's permissions, as installed in 2.2.2, are: -r-sr-x--- 1 root operator 139264 Jul 15 02:08 /sbin/shutdown Joe User *cannot* shut the system down because Joe user can't even execute the damn thing. Did you actually CHECK this before you sent this bug report in? :-) > Also: I noticed that 2.2.2 installs /usr/bin/perl (4) and a setuid root > version of it as well (found this out when I noticed that adduser and > rmuser are perl and not c). If I'm not mistaken 4 has some major security > problems with setuid perl, no? You need to read the CERT advisories - a patch for this has existed for ages now. Jordan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2950.870634971>