From owner-freebsd-security  Tue Jun 25 01:22:54 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA00992
          for security-outgoing; Tue, 25 Jun 1996 01:22:54 -0700 (PDT)
Received: from asterix.insight.co.za (asterix.insight.co.za [196.27.7.9])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA00983;
          Tue, 25 Jun 1996 01:22:44 -0700 (PDT)
Received: by asterix.insight.co.za (Smail3.1.29.1 #1)
	id m0uYTO8-000vDSC; Tue, 25 Jun 96 10:22 SAT
Message-Id: <m0uYTO8-000vDSC@asterix.insight.co.za>
From: jvisagie@insight.co.za (Johann Visagie)
Subject: Re: I need help on this one - please help me track this guy down!
To: vince@mercury.gaianet.net (-Vince-)
Date: Tue, 25 Jun 1996 10:22:20 +0200 (SAT)
Cc: mark@grumble.grondar.za, hackers@FreeBSD.org, security@FreeBSD.org,
        chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net
In-Reply-To: <Pine.BSF.3.91.960624234156.21697d-100000@mercury.gaianet.net> from "-Vince-" at Jun 24, 96 11:46:03 pm
X-Mailer: ELM [version 2.4 PL24 ME8a]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

-Vince- wrote:
>
> 	Hmmm, really?  It seems like almost all systems root has . for the
> path but if the directory for root is like read, write, execute by root
> only, how will they get into it?

-Vince- also writes (in response to Mark Murray):

> > For much more info, I recommend "Practical Unix Security" from
> > O'Reilly and Associates, (By Garfinkel?)
> 
> 	I have that book but there are always ways no one knows about ;)

I would suggest you _read_ it ;), specifically page 151 ff. (assuming you
have the first edition), where path attacks are described.  To summarise an
example in that section:

1)  User realises root as '.' in his path
2)  User creates a file called something funny like '-i' in his home
    directory
3)  User creates a script called 'ls' in his home directory, which first
    attempts to create a setuid root shell somewhere, and then calls the
    "real" /bin/ls
4)  User tells his sysadmin there's a "funny file" in his home directory that
    he can't get rid of
5)  Rood cd's to user's home directory and types "ls" to see what's going on.
6)  Voila!

Boy, this brings back memories...  ;)

-- V

Johann Visagie | Email: jvisagie@insight.co.za | Tel: +27 83 777-4260