From owner-freebsd-security  Sun Aug 10 11:36:23 1997
Return-Path: <owner-freebsd-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id LAA05401
          for security-outgoing; Sun, 10 Aug 1997 11:36:23 -0700 (PDT)
Received: from shell.firehouse.net (brian@shell.firehouse.net [209.42.203.45])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id LAA05396
          for <freebsd-security@FreeBSD.ORG>; Sun, 10 Aug 1997 11:36:20 -0700 (PDT)
Received: from localhost (brian@localhost)
	by shell.firehouse.net (8.8.5/8.8.5) with SMTP id OAA19115;
	Sun, 10 Aug 1997 14:36:13 -0400 (EDT)
Date: Sun, 10 Aug 1997 14:36:13 -0400 (EDT)
From: Brian Mitchell <brian@firehouse.net>
To: "Jonathan A. Zdziarski" <jonz@netrail.net>
cc: bugtraq@netspace.org, freebsd-security@FreeBSD.ORG
Subject: Re: procfs hole
In-Reply-To: <Pine.BSF.3.95q.970810104520.14828A-100000@netrail.net>
Message-ID: <Pine.BSI.3.95.970810143501.19099B-100000@shell.firehouse.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Sun, 10 Aug 1997, Jonathan A. Zdziarski wrote:

> never mind about my last message - I was finally able to get it to work on
> both 2.2.2 and 2.2.1 systems.  ack.  is the 'su' command the only
> pheasable method of manipulating this problem, or do you think it could be
> done with other setuid programs?  I'm running sudo, and can disable su,
> but then again what if sudo can be modified.

Don't be silly, any setuid program can be used. If I chose to overwrite
printf() with code to setuid and execute a shell, it would prob work with
any setuid program. As noted, the easiest way to avoid the problem is just
to disable procfs -- nobody really uses it anyways.