From owner-freebsd-hackers  Tue Jun 25 07:41:15 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id HAA02365
          for hackers-outgoing; Tue, 25 Jun 1996 07:41:15 -0700 (PDT)
Received: from horst.bfd.com (horst.bfd.com [204.160.242.10])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id HAA02325;
          Tue, 25 Jun 1996 07:41:08 -0700 (PDT)
Received: from harlie.bfd.com (bastion.bfd.com [204.160.242.2]) by horst.bfd.com (8.7.5/8.7.3) with SMTP id HAA18264; Tue, 25 Jun 1996 07:40:38 -0700 (PDT)
Date: Tue, 25 Jun 1996 07:40:34 -0700 (PDT)
From: "Eric J. Schwertfeger" <ejs@bfd.com>
To: -Vince- <vince@mercury.gaianet.net>
cc: Mark Murray <mark@grumble.grondar.za>, hackers@FreeBSD.ORG,
        security@FreeBSD.ORG, Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>
Subject: Re: I need help on this one - please help me track this guy down! 
In-Reply-To: <Pine.BSF.3.91.960625013911.21697n-100000@mercury.gaianet.net>
Message-ID: <Pine.BSI.3.94.960625073731.15315A-100000@harlie.bfd.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk



On Tue, 25 Jun 1996, -Vince- wrote:

> 	Yeah, you have a point but jbhunt was watching the user as he 
> hacked root since he brought the file from his own machine.... so that 
> wasn't something the admin was tricked into doing..

Then the important question is, how did he move the file so that it
retained the setuid bit?  We're already pretty sure that the program is
only /bin/sh with the setuid bit turned on.  So either he found a way to
move the file with the bit turned on, or he found a way to turn it on,
which reqires root access.