From owner-freebsd-security Tue Jun 10 14:34:47 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id OAA05085 for security-outgoing; Tue, 10 Jun 1997 14:34:47 -0700 (PDT) Received: from news.IAEhv.nl (root@news.IAEhv.nl [194.151.64.4]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id OAA05076 for ; Tue, 10 Jun 1997 14:34:36 -0700 (PDT) Received: from LOCAL (uucp@localhost) by news.IAEhv.nl (8.6.13/1.63) with IAEhv.nl; pid 22002 on Tue, 10 Jun 1997 21:33:35 GMT; id VAA22002 efrom: peter@grendel.IAEhv.nl; eto: UNKNOWN Received: (from peter@localhost) by grendel.IAEhv.nl (8.8.5/8.8.5) id XAA00704; Tue, 10 Jun 1997 23:21:41 +0200 (CEST) Message-ID: <19970610232141.02938@hw.nl> Date: Tue, 10 Jun 1997 23:21:41 +0200 From: Peter Korsten To: Yuang Shuang-Long Cc: freebsd-security@FreeBSD.ORG References: <199706102254.WAA02221@FreeBSD.cs.nccu.edu.tw> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.67e In-Reply-To: <199706102254.WAA02221@FreeBSD.cs.nccu.edu.tw>; from Yuang Shuang-Long on Tue, Jun 10, 1997 at 10:54:54PM +0000 Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk Yuang Shuang-Long shared with us: > I have a trouble that some users use the following prog. to get > root privilege, and the more they do some destructive thing. (eg. > delete some file /var/log/* :-( ) I need your help... > > [code fragment deleted] Perhaps I'm confused here, but I don't think this program could do any harm, except when it's run as setuid root. So find / -user 0 -perm -04000 should give you all setuid root programs on the system. But doesn't the daily security run complain about setuid programs that have been added? Perhaps the solution would be to make a backup of your /etc tree, reboot the system in single user mode, type find / -user 0 -perm -04000 | xargs chmod -s reinstall the system and replace the /etc tree after checking for obvious things like uid's of 0 in the password file. Note that above method is very drastic and I suppose that a more-into-secu- rity person has a more elegant solution. In other words, don't try it. - Peter