From owner-freebsd-security  Tue Jun 25 01:00:44 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA29331
          for security-outgoing; Tue, 25 Jun 1996 01:00:44 -0700 (PDT)
Received: from ns2.harborcom.net (root@ns2.harborcom.net [206.158.4.4])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA29316
          for <security@FreeBSD.org>; Tue, 25 Jun 1996 01:00:37 -0700 (PDT)
Received: from swoosh.dunn.org (swoosh.dunn.org [206.158.7.243]) by ns2.harborcom.net (8.7.4/8.6.12) with SMTP id EAA05731; Tue, 25 Jun 1996 04:00:22 -0400 (EDT)
Message-Id: <199606250800.EAA05731@ns2.harborcom.net>
Comments: Authenticated sender is <dunn@harborcom.net>
From: "Bradley Dunn" <dunn@harborcom.net>
Organization: Harbor Communications
To: -Vince- <vince@mercury.gaianet.net>
Date: Tue, 25 Jun 1996 03:55:55 -0500
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Subject: Re: I need help on this one - please help me track this guy
Reply-to: dunn@harborcom.net
CC: security@FreeBSD.org
Priority: normal
X-mailer: Pegasus Mail for Win32 (v2.31)
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

[CC header trimmed, once again]

On 24 Jun 96 at 23:46, -Vince- wrote:

> > > > 2) The Cracker made a trojan script somewhere (usually exploiting
> > > >    some admins (roots) who have "." in their path). This way he creates
> > > >    a script that when run as root will make him a suid program.
> > > >    after this he has you by tender bits.
> > > 
> > > 	Hmmm, doesn't everyone have . as their path since all . does is allow
> > > someone to run stuff from the current directory...
> > 
> > Not root! this leaves you wide open for trojans. As root you should
> > have to type ./foo to run foo in the current directory.
> 
> 	Hmmm, really?  It seems like almost all systems root has . for the
> path but if the directory for root is like read, write, execute by root
> only, how will they get into it?

*Sigh*. This is turning into elementary sysadmin class. If you are 
going to admin a system with over 1000 users, you need to learn to 
think security issues through. If "." is in the path, the cracker can 
put a trojan horse in some directory where he *can* write, and he 
will name it something he hopes the unsuspecting admin will execute 
while root.

Bradley Dunn <dunn@harborcom.net>