Date: Mon, 4 Aug 1997 00:09:30 +0930 (CST) From: Michael Smith <msmith@atrad.adelaide.edu.au> To: jonz@netrail.net (Jonathan A. Zdziarski) Cc: security@FreeBSD.ORG Subject: Re: setuid shutdown? Message-ID: <199708031439.AAA14256@genesis.atrad.adelaide.edu.au> In-Reply-To: <Pine.BSF.3.95q.970803100305.4197B-100000@netrail.net> from "Jonathan A. Zdziarski" at "Aug 3, 97 10:05:45 am"
next in thread | previous in thread | raw e-mail | index | archive | help
Jonathan A. Zdziarski stands accused of saying: > I just realized that my version of freebsd 2.2.2 installs with a > set-uid-root shutdown command allowing anybody who wants to to shutdown or > reboot the server. silver:~>ls -l `which shutdown` -r-sr-x--- 1 root operator 135168 Jun 7 18:37 /sbin/shutdown This is consistent with what 'operator' means in my book. 8) > Also: I noticed that 2.2.2 installs /usr/bin/perl (4) and a setuid root > version of it as well (found this out when I noticed that adduser and > rmuser are perl and not c). If I'm not mistaken 4 has some major security > problems with setuid perl, no? Correct. If you are running a production system you should have read all of the advisories released since 2.2.2, and preferably be tracking -stable on a support system, or installing the rolling 2.2-stable snapshots post-advisory. At this stage, there is not a security-update-patch mechanism more advanced that this. -- ]] Mike Smith, Software Engineer msmith@gsoft.com.au [[ ]] Genesis Software genesis@gsoft.com.au [[ ]] High-speed data acquisition and (GSM mobile) 0411-222-496 [[ ]] realtime instrument control. (ph) +61-8-8267-3493 [[ ]] Unix hardware collector. "Where are your PEZ?" The Tick [[
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199708031439.AAA14256>