Date: Sat, 10 Feb 1996 11:36:15 -0500 (EST) From: Brian Tao <taob@io.org> To: Paul Traina <pst@shockwave.com> Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org> Subject: Re: User creating root-owned directories? Message-ID: <Pine.BSF.3.91.960210095956.17721M-100000@zip.io.org> In-Reply-To: <199602100808.AAA02008@precipice.shockwave.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 10 Feb 1996, Paul Traina wrote:
>
> errr... did your sysadmin have root when he did ls -l in that user's
> directory?
>
> if so, did he have . in his path?
The sysadmin would be me ;-), and the root account does not
include . anywhere in the path. The three others with root access
were not involved with this.
> You possibly could have been had by someone who had a ls executable
> which, when run as root, deleted itself, created the directory, AND
> created a setuid program somewhere.
I'll perform a more detailed scan for setuid and setgid programs
today then. A lot of our users run setuid CGI scripts (PHP tools, a
Web page logging package)... the hacker may have named a setuid
program after one of the PHP scripts to hide it from scrutiny.
Probably a good time to compare MD5 signatures on the system binaries
too... *sigh*.
> In any case, I'd upgrade to sendmail 8.7.x (x=current) and freebsd 2.1
> -stable just to be sure you've got all the security patches. 8.6.12 does
> have bugs in it which could allow a user to gain root.
Being sendmail and all, 8.7.x probably does too. ;-) It'll take
a little bit of work to do that, since our current mail server is on
BSD/OS 2.0, and also handles several other functions. Thanks, Paul.
--
Brian Tao (BT300, taob@io.org)
Systems Administrator, Internex Online Inc.
"Though this be madness, yet there is method in't"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.960210095956.17721M-100000>