From owner-freebsd-security  Sat Feb 10 08:37:00 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id IAA29902
          for security-outgoing; Sat, 10 Feb 1996 08:37:00 -0800 (PST)
Received: from zip.io.org (root@zip.io.org [198.133.36.80])
          by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA29891
          for <freebsd-security@freebsd.org>; Sat, 10 Feb 1996 08:36:57 -0800 (PST)
Received: (from taob@localhost) by zip.io.org (8.6.12/8.6.12) id LAA16641; Sat, 10 Feb 1996 11:36:18 -0500
Date: Sat, 10 Feb 1996 11:36:15 -0500 (EST)
From: Brian Tao <taob@io.org>
To: Paul Traina <pst@shockwave.com>
cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Re: User creating root-owned directories? 
In-Reply-To: <199602100808.AAA02008@precipice.shockwave.com>
Message-ID: <Pine.BSF.3.91.960210095956.17721M-100000@zip.io.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
Precedence: bulk

On Sat, 10 Feb 1996, Paul Traina wrote:
>
> errr... did your sysadmin have root when he did ls -l in that user's
> directory?
> 
> if so, did he have . in his path?

    The sysadmin would be me ;-), and the root account does not
include . anywhere in the path.  The three others with root access
were not involved with this.

> You possibly could have been had by someone who had a ls executable
> which, when run as root, deleted itself, created the directory, AND
> created a setuid program somewhere.

    I'll perform a more detailed scan for setuid and setgid programs
today then.  A lot of our users run setuid CGI scripts (PHP tools, a
Web page logging package)... the hacker may have named a setuid
program after one of the PHP scripts to hide it from scrutiny.
Probably a good time to compare MD5 signatures on the system binaries
too... *sigh*.

> In any case, I'd upgrade to sendmail 8.7.x (x=current) and freebsd 2.1
> -stable just to be sure you've got all the security patches.  8.6.12 does
> have bugs in it which could allow a user to gain root.

    Being sendmail and all, 8.7.x probably does too.  ;-)  It'll take
a little bit of work to do that, since our current mail server is on
BSD/OS 2.0, and also handles several other functions.  Thanks, Paul.
--
Brian Tao (BT300, taob@io.org)
Systems Administrator, Internex Online Inc.
"Though this be madness, yet there is method in't"