Date: Tue, 25 Jun 1996 10:22:20 +0200 (SAT) From: jvisagie@insight.co.za (Johann Visagie) To: vince@mercury.gaianet.net (-Vince-) Cc: mark@grumble.grondar.za, hackers@FreeBSD.org, security@FreeBSD.org, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <m0uYTO8-000vDSC@asterix.insight.co.za> In-Reply-To: <Pine.BSF.3.91.960624234156.21697d-100000@mercury.gaianet.net> from "-Vince-" at Jun 24, 96 11:46:03 pm
next in thread | previous in thread | raw e-mail | index | archive | help
-Vince- wrote:
>
> Hmmm, really? It seems like almost all systems root has . for the
> path but if the directory for root is like read, write, execute by root
> only, how will they get into it?
-Vince- also writes (in response to Mark Murray):
> > For much more info, I recommend "Practical Unix Security" from
> > O'Reilly and Associates, (By Garfinkel?)
>
> I have that book but there are always ways no one knows about ;)
I would suggest you _read_ it ;), specifically page 151 ff. (assuming you
have the first edition), where path attacks are described. To summarise an
example in that section:
1) User realises root as '.' in his path
2) User creates a file called something funny like '-i' in his home
directory
3) User creates a script called 'ls' in his home directory, which first
attempts to create a setuid root shell somewhere, and then calls the
"real" /bin/ls
4) User tells his sysadmin there's a "funny file" in his home directory that
he can't get rid of
5) Rood cd's to user's home directory and types "ls" to see what's going on.
6) Voila!
Boy, this brings back memories... ;)
-- V
Johann Visagie | Email: jvisagie@insight.co.za | Tel: +27 83 777-4260
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?m0uYTO8-000vDSC>