From owner-freebsd-hackers  Tue Jun 25 13:15:20 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA11672
          for hackers-outgoing; Tue, 25 Jun 1996 13:15:20 -0700 (PDT)
Received: from mercury.gaianet.net (root@mercury.gaianet.net [206.171.98.26])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA11662
          for <hackers@freefall.freebsd.org>; Tue, 25 Jun 1996 13:15:17 -0700 (PDT)
Received: (from vince@localhost) by mercury.gaianet.net (8.7.5/8.6.12) id NAA13032; Tue, 25 Jun 1996 13:14:43 -0700 (PDT)
Date: Tue, 25 Jun 1996 13:14:42 -0700 (PDT)
From: -Vince- <vince@mercury.gaianet.net>
To: mark thompson <thompson@tgsoft.com>
cc: hackers@freefall.freebsd.org, Chad Shackley <chad@mercury.gaianet.net>,
        jbhunt <jbhunt@mercury.gaianet.net>, security@freebsd.org
Subject: Re: I need help on this one - please help me track this guy down!
In-Reply-To: <199606251403.HAA15335@squirrel.tgsoft.com>
Message-ID: <Pine.BSF.3.91.960625131354.25073E-100000@mercury.gaianet.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-hackers@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

On Tue, 25 Jun 1996, mark thompson wrote:

>    It seems that -Vince- said:
>    > 
>    > On Tue, 25 Jun 1996, Don Yuniskis wrote:
>    > 
>    > > It seems that -Vince- said:
>    > > > 	Hmmm, that's only if we had phone support.... We don't :)  but do 
>    > > > admins really go run a program that the user said won't run?
>    > > 
>    > > Well, it *appears* that one of *you* did!  :>
>    > 
>    > 	Well, jbhunt was the one who gave the user the account and the 
>    > user just transferred the root which is /bin/sh with setuid and ran it 
>    > and he got root....  
> 
> Once upon a time, one of our nice users brought in a tape he wanted
> read. One of the guys logged in as root, hung the tape and untarred it
> into the nice user's directory.
> 
> The tape contained a shell that was setuid root... but we didn't
> discover that 'till later.
> 
> Seems this guy didn't want to *break* anything, but just wanted to admin
> the machine himself, being dissatisfied with us. Anyway, i learned
> several valuable lessons:
> 
> 1) Scan the machine for setuid programs. Often. 
> 
> 2) Read user's tapes when logged in as the user.
> 
> 3) If you are running a computer system, trust nobody.

	This is very true....

Vince