From owner-freebsd-security Tue Jun 25 03:24:08 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA10609 for security-outgoing; Tue, 25 Jun 1996 03:24:08 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA10393 for ; Tue, 25 Jun 1996 03:23:22 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id MAA09453; Tue, 25 Jun 1996 12:21:25 +0200 (SAT) Message-Id: <199606251021.MAA09453@grumble.grondar.za> To: -Vince- cc: Bradley Dunn , security@FreeBSD.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy Date: Tue, 25 Jun 1996 12:21:25 +0200 From: Mark Murray Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > > *Sigh*. This is turning into elementary sysadmin class. If you are > > going to admin a system with over 1000 users, you need to learn to > > think security issues through. If "." is in the path, the cracker can > > put a trojan horse in some directory where he *can* write, and he > > will name it something he hopes the unsuspecting admin will execute > > while root. > > Well, the problem here is one of the admins know the user and he > was watching him just run the program himself, the root user had nothing > to do with executing anything... ...in which case you were _really_ open. The user could do what he liked, right? He didn't have to trick you, he just did it - with root privelige. He just (ab)used your goodwill and naivete. When you let users type commands on your system, you are supposed to be alert :-) M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key