Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 03 Aug 1997 12:02:51 -0700
From:      "Jordan K. Hubbard" <jkh@time.cdrom.com>
To:        "Jonathan A. Zdziarski" <jonz@netrail.net>
Cc:        security@FreeBSD.ORG
Subject:   Re: setuid shutdown? 
Message-ID:  <2950.870634971@time.cdrom.com>
In-Reply-To: Your message of "Sun, 03 Aug 1997 10:05:45 -0000." <Pine.BSF.3.95q.970803100305.4197B-100000@netrail.net> 

next in thread | previous in thread | raw e-mail | index | archive | help
> I just realized that my version of freebsd 2.2.2 installs with a
> set-uid-root shutdown command allowing anybody who wants to to shutdown or
> reboot the server.  Obviously I removed the bits, and got rid of the

Uh, no, that's not correct.  Shutdown's permissions, as installed in
2.2.2, are:

-r-sr-x---  1 root  operator  139264 Jul 15 02:08 /sbin/shutdown

Joe User *cannot* shut the system down because Joe user can't even
execute the damn thing.

Did you actually CHECK this before you sent this bug report in? :-)

> Also: I noticed that 2.2.2 installs /usr/bin/perl (4) and a setuid root
> version of it as well (found this out when I noticed that adduser and
> rmuser are perl and not c).  If I'm not mistaken 4 has some major security
> problems with setuid perl, no?

You need to read the CERT advisories - a patch for this has existed for
ages now.

					Jordan



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2950.870634971>