From owner-freebsd-hackers Tue Jun 25 07:03:24 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id HAA28399 for hackers-outgoing; Tue, 25 Jun 1996 07:03:24 -0700 (PDT) Received: from squirrel.tgsoft.com (sb15.znet.com [206.43.105.15]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id HAA28391 for ; Tue, 25 Jun 1996 07:03:20 -0700 (PDT) Received: (from thompson@localhost) by squirrel.tgsoft.com (8.6.12/8.6.12) id HAA15335; Tue, 25 Jun 1996 07:03:31 -0700 Date: Tue, 25 Jun 1996 07:03:31 -0700 Message-Id: <199606251403.HAA15335@squirrel.tgsoft.com> From: mark thompson To: hackers@freefall.freebsd.org In-reply-to: message from Don Yuniskis on Tue, 25 Jun 1996 02:03:35 -0700 (MST) Subject: Re: I need help on this one - please help me track this guy down! Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk It seems that -Vince- said: > > On Tue, 25 Jun 1996, Don Yuniskis wrote: > > > It seems that -Vince- said: > > > Hmmm, that's only if we had phone support.... We don't :) but do > > > admins really go run a program that the user said won't run? > > > > Well, it *appears* that one of *you* did! :> > > Well, jbhunt was the one who gave the user the account and the > user just transferred the root which is /bin/sh with setuid and ran it > and he got root.... Once upon a time, one of our nice users brought in a tape he wanted read. One of the guys logged in as root, hung the tape and untarred it into the nice user's directory. The tape contained a shell that was setuid root... but we didn't discover that 'till later. Seems this guy didn't want to *break* anything, but just wanted to admin the machine himself, being dissatisfied with us. Anyway, i learned several valuable lessons: 1) Scan the machine for setuid programs. Often. 2) Read user's tapes when logged in as the user. 3) If you are running a computer system, trust nobody. -mark