From owner-freebsd-hackers  Thu Jun 27 01:39:22 1996
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id BAA10308
          for hackers-outgoing; Thu, 27 Jun 1996 01:39:22 -0700 (PDT)
Received: from proxy.siemens.at (proxy.siemens.at [192.138.228.19])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id BAA10273;
          Thu, 27 Jun 1996 01:38:11 -0700 (PDT)
Received: from sol1.gud.siemens.co.at (sol-f.gud.siemens-austria) by proxy.siemens.at with SMTP id AA12438
  (5.67a/IDA-1.5); Thu, 27 Jun 1996 10:37:21 +0200
Received: from ws2301.gud.siemens.co.at by sol1.gud.siemens.co.at with smtp
	(Smail3.1.28.1 #7 for <security@FreeBSD.org>) 
	id m0uZCZZ-00020FC; Thu, 27 Jun 96 10:37 MET DST
Received: by ws2301.gud.siemens.co.at (1.37.109.16/1.37)
	id AA158394572; Thu, 27 Jun 1996 10:36:12 +0200
From: "Hr.Ladavac" <lada@ws2301.gud.siemens.co.at>
Message-Id: <199606270836.AA158394572@ws2301.gud.siemens.co.at>
Subject: Re: I need help on this one - please help me track this guy down!
To: michaelv@HeadCandy.com (Michael L. VanLoon -- HeadCandy.com)
Date: Thu, 27 Jun 1996 10:36:11 +0200 (MESZ)
Cc: vince@mercury.gaianet.net, ejs@bfd.com, mark@grumble.grondar.za,
        hackers@FreeBSD.org, security@FreeBSD.org, chad@mercury.gaianet.net,
        jbhunt@mercury.gaianet.net
In-Reply-To: <199606270321.UAA01884@MindBender.HeadCandy.com> from "Michael L. VanLoon -- HeadCandy.com" at Jun 26, 96 08:21:02 pm
X-Mailer: ELM [version 2.4 PL24 ME8a]
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

In his e-mail Michael L. VanLoon -- HeadCandy.com wrote:
> 
> 
> >> >	It was a remote login so he had to transfer it over somehow...
> 
> >> Well, *if* that's true, it still wouldn't be setuid root just from the
> >> transfer.  He'd *still* have to get root some other way to make this
> >> binary setuid root.
> >> But if he's going to do that, why bother copying a binary over the
> >> network -- it would just be easier to just snag a copy of your own
> >> /bin/sh and mark it setuid root.
> 
> >	Hmmm, what happens if he tars it first and then sends it over?
> 
> Try it. :-)  That's the only way to figure all this stuff out...
> 
> Seriously, you must be root to create a setuid root file.  It doesn't
> matter *how* you try to create it.

A five dollar question Vince:

does root have .rhosts in his home directory?  What is to be found there?
If he does, throw it away; it's enormously insecure.  Similar with
/etc/host.equiv et cetera.

/Marino