From owner-freebsd-security  Wed Jun 26 18:26:55 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id SAA10861
          for security-outgoing; Wed, 26 Jun 1996 18:26:55 -0700 (PDT)
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id SAA10854
          for <security@FreeBSD.ORG>; Wed, 26 Jun 1996 18:26:51 -0700 (PDT)
Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id KAA08033; Thu, 27 Jun 1996 10:43:13 +0930
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199606270113.KAA08033@genesis.atrad.adelaide.edu.au>
Subject: Re: I need help on this one - please help me track this guy down!
To: vince@mercury.gaianet.net (-Vince-)
Date: Thu, 27 Jun 1996 10:43:12 +0930 (CST)
Cc: security@FreeBSD.ORG, chad@mercury.gaianet.net, jbhunt@mercury.gaianet.n
In-Reply-To: <Pine.BSF.3.91.960626135432.2935B-100000@mercury.gaianet.net> from "-Vince-" at Jun 26, 96 01:55:05 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

-Vince- stands accused of saying:
> > 
> > Well, *if* that's true, it still wouldn't be setuid root just from the
> > transfer.  He'd *still* have to get root some other way to make this
> > binary setuid root.
> > 
> > But if he's going to do that, why bother copying a binary over the
> > network -- it would just be easier to just snag a copy of your own
> > /bin/sh and mark it setuid root.
> 
> 	Hmmm, what happens if he tars it first and then sends it over?

Vince, you are, like, _spectacularly_ dim.

Tar is a program.  It reads datafiles, and writes new files based on
what it reads.  It is not magic.  If it reads a tarfile that tells
it to create a setuid root file, it will try to do so.

Note that about half a dozen people have said _very_plainly_ that to 
create or make a setuid root file one _must_already_be_root_.

Or am I just wasting my ulcer on you?

> Vince

-- 
]] Mike Smith, Software Engineer        msmith@atrad.adelaide.edu.au    [[
]] Genesis Software                     genesis@atrad.adelaide.edu.au   [[
]] High-speed data acquisition and      (GSM mobile) 0411-222-496       [[
]] realtime instrument control          (ph/fax)  +61-8-267-3039        [[
]] Collector of old Unix hardware.      "Where are your PEZ?" The Tick  [[