Date: Fri, 28 Jun 1996 17:38:57 -0700 (PDT) From: Nathan Lawson <nlawson@kdat.csc.calpoly.edu> To: terry@lambert.org (Terry Lambert) Subject: Re: I need help on this one - please help me track this guy down! Message-ID: <199606290038.RAA00458@kdat.calpoly.edu> In-Reply-To: <199606271830.LAA05468@phaeton.artisoft.com> from "Terry Lambert" at Jun 27, 96 11:30:17 am
next in thread | previous in thread | raw e-mail | index | archive | help
> > > Seriously, you must be root to create a setuid root file. It doesn't > > > matter *how* you try to create it. > > > > A five dollar question Vince: > > > > does root have .rhosts in his home directory? What is to be found there? > > If he does, throw it away; it's enormously insecure. Similar with > > /etc/host.equiv et cetera. > > man ruserok > > The authentication for vouchsafe protocols (rcmd/rsh based protocols) > *specifically* ignores hosts.equiv and hosts.lpd for root. If root > does not have a .rhosts, then it is secure from vouchsafe attack this > way. Nice try, Terry, but since /bin and /usr/bin and all the binaries on the system are owned by bin, a hosts.equiv might as well allow root access. I can su to bin on my host, rsh over to victim, replace /usr/libexec/telnetd with a script, telnet to localhost, and have my script run as root. As I have said many times before, this is a vulnerable path to allowing normal users (in this case bin) more privileges than necessary. All binaries run as root MUST be owned by root. Any other protection is inadequate. -- Nate Lawson "There are a thousand hacking at the branches of CPE Senior evil to one who is striking at the root." CSL Admin -- Henry David Thoreau, 'Walden', 1854
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199606290038.RAA00458>