From owner-freebsd-hackers Tue Jun 25 03:05:55 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id DAA09469 for hackers-outgoing; Tue, 25 Jun 1996 03:05:55 -0700 (PDT) Received: from grumble.grondar.za (root@grumble.grondar.za [196.7.18.130]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id DAA09440; Tue, 25 Jun 1996 03:05:23 -0700 (PDT) Received: from grumble.grondar.za (mark@localhost.grondar.za [127.0.0.1]) by grumble.grondar.za (8.7.5/8.7.3) with ESMTP id MAA09345; Tue, 25 Jun 1996 12:02:23 +0200 (SAT) Message-Id: <199606251002.MAA09345@grumble.grondar.za> To: -Vince- cc: Don Yuniskis , mark@grumble.grondar.za, hackers@FreeBSD.ORG, security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.net Subject: Re: I need help on this one - please help me track this guy down! Date: Tue, 25 Jun 1996 12:02:23 +0200 From: Mark Murray Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk -Vince- wrote: > On Tue, 25 Jun 1996, Don Yuniskis wrote: > > > Hmmm, that's only if we had phone support.... We don't :) but do > > > admins really go run a program that the user said won't run? > > > > Well, it *appears* that one of *you* did! :> > > Well, jbhunt was the one who gave the user the account and the > user just transferred the root which is /bin/sh with setuid and ran it > and he got root.... Review that. _Carefully_. I think you are seriously WRONG there. That user did something sneaky, and you did not see it. M -- Mark Murray 46 Harvey Rd, Claremont, Cape Town 7700, South Africa +27 21 61-3768 GMT+0200 Finger mark@grondar.za for PGP key