From owner-freebsd-hackers Sat Mar 3 16:50: 9 2001 Delivered-To: freebsd-hackers@freebsd.org Received: from gandalf.vi.bravenet.com (gandalf.bravenet.com [139.142.105.50]) by hub.freebsd.org (Postfix) with SMTP id 4278D37B718 for ; Sat, 3 Mar 2001 16:50:03 -0800 (PST) (envelope-from dphoenix@bravenet.com) Received: (qmail 1624 invoked by uid 1000); 4 Mar 2001 00:47:21 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 4 Mar 2001 00:47:21 -0000 Date: Sat, 3 Mar 2001 16:47:21 -0800 (PST) From: Dan Phoenix To: Chris Costello Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: easy way to crash freebsd In-Reply-To: <20010303122419.L2028@holly.calldei.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sat, 3 Mar 2001, Chris Costello wrote: > Date: Sat, 03 Mar 2001 12:24:19 -0600 > From: Chris Costello > To: Dan Phoenix > Cc: freebsd-hackers@FreeBSD.ORG > Subject: Re: easy way to crash freebsd > > On Friday, March 02, 2001, Dan Phoenix wrote: > > People asking me how this could be used as a local user. > > Well i guess if you wanted to you could find something root runs > > that writes to /tmp then umask resolv.conf > > and echo "" > resolv.conf > > Could you expand on this, please? What does finding a root > utility that writes to /tmp have to do with umasking a file? > (I've found it rather difficult to umask files in the past.) > > -- > +-------------------+----------------------------+ > | Chris Costello | I just found the last bug. | > | chris@calldei.com | | > +-------------------+----------------------------+ > Well one one the concepts is to umask 4777 then write as many tmp files to the tmp dir as you can symlinking to say /etc/master.passwd....which would really do nothing i would imagine...symlinking to spwd.db would prob be better. Afterwards you have write perms to the file with whatever root wrote to it. I beleive that is the basic concept....many of these have been fixed. BTW in no way do I promote this....just explaining the concept. [root@elrond dphoenix]# ls /tmp commitlog* elist.log fcsignup.log mysql.sock= screens/ [root@elrond dphoenix]# for me shows this.....I guess in this case you could wait for root to shutdown mysql and link that mysql.sock= to some database you want overwritten. I am not sure if it works the same for socket files. Best to ask one the unix gurus :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message