From owner-freebsd-hackers Mon Jun 24 18:08:51 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id SAA28883 for hackers-outgoing; Mon, 24 Jun 1996 18:08:51 -0700 (PDT) Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA28877; Mon, 24 Jun 1996 18:08:47 -0700 (PDT) Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id SAA26787; Mon, 24 Jun 1996 18:07:01 -0700 (PDT) Date: Mon, 24 Jun 1996 18:07:00 -0700 (PDT) From: -Vince- To: Michael Smith cc: mark@grumble.grondar.za, wilko@yedi.iaf.nl, jkh@time.cdrom.com, guido@gvr.win.tue.nl, hackers@FreeBSD.org, security@FreeBSD.org, ache@FreeBSD.org, jbhunt , Chad Shackley Subject: Re: I need help on this one - please help me track this guy down! In-Reply-To: <199606250125.KAA25110@genesis.atrad.adelaide.edu.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-hackers@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk On Tue, 25 Jun 1996, Michael Smith wrote: > Mark Murray stands accused of saying: > > > > > > -rwsr-xr-x 1 root users 278528 Jun 18 04:01 root is from the dir > > ^ > > | This is a setuid prog. The program is owned by root, and is > > SETUID, therefore it will run as if it were root. It is > > probably a shell (bash, sh, csh) renamed to root and setuid. > > "chmod 755 root" will cut it down to size. > > lovely:~>ls -l /bin/sh > -r-xr-xr-x 1 bin bin 278528 Jun 19 20:34 /bin/sh > > The question is, of course, what a setuid-root copy of /bin/sh is doing > in this user's home directory. Have you fixed the 'modload' hole on this > system yet? Yeah, the modload hole was fixed a long time ago as well as the man hole... Getting /bin/sh with setuid-root is the really strange part.. Vince