From owner-freebsd-hackers  Tue Jun 25 01:35:59 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA02113
          for hackers-outgoing; Tue, 25 Jun 1996 01:35:59 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id BAA02095;
          Tue, 25 Jun 1996 01:35:52 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id BAA14320; Tue, 25 Jun 1996 01:35:28 -0700 (PDT)
Date: Tue, 25 Jun 1996 01:35:28 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: Johann Visagie <jvisagie@insight.co.za>
cc: mark@grumble.grondar.za, hackers@FreeBSD.org, security@FreeBSD.org,
        chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net
Subject: Re: I need help on this one - please help me track this guy down!
In-Reply-To: <m0uYTO8-000vDSC@asterix.insight.co.za>
Message-ID: <Pine.BSF.3.91.960625013326.21697m-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 25 Jun 1996, Johann Visagie wrote:

> -Vince- wrote:
> >
> > 	Hmmm, really?  It seems like almost all systems root has . for the
> > path but if the directory for root is like read, write, execute by root
> > only, how will they get into it?
> 
> -Vince- also writes (in response to Mark Murray):
> 
> > > For much more info, I recommend "Practical Unix Security" from
> > > O'Reilly and Associates, (By Garfinkel?)
> > 
> > 	I have that book but there are always ways no one knows about ;)
> 
> I would suggest you _read_ it ;), specifically page 151 ff. (assuming you
> have the first edition), where path attacks are described.  To summarise an
> example in that section:
> 
> 1)  User realises root as '.' in his path
> 2)  User creates a file called something funny like '-i' in his home
>     directory
> 3)  User creates a script called 'ls' in his home directory, which first
>     attempts to create a setuid root shell somewhere, and then calls the
>     "real" /bin/ls
> 4)  User tells his sysadmin there's a "funny file" in his home directory that
>     he can't get rid of
> 5)  Rood cd's to user's home directory and types "ls" to see what's going on.
> 6)  Voila!

	Yes but what happens if it was like this case:

1) user knows sysadmin so sysadmin creates account for him
2) user logs in and puts a file named root with the sysadmin watching him
3) user runs root and gets root... this only works if the user is using
	bash or sh for the login shell, if you use csh or tcsh, it doesn't
	work.

Vince