From owner-freebsd-security Sat Jul 13 00:47:09 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id AAA18356 for security-outgoing; Sat, 13 Jul 1996 00:47:09 -0700 (PDT) Received: from dns2.noc.best.net (dns2.noc.best.net [206.86.0.21]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id AAA18345 for ; Sat, 13 Jul 1996 00:47:06 -0700 (PDT) Received: from shellx.best.com (shellx.best.com [206.86.0.11]) by dns2.noc.best.net (8.6.12/8.6.5) with SMTP id AAA04669 for ; Sat, 13 Jul 1996 00:47:03 -0700 Date: Sat, 13 Jul 1996 00:47:03 -0700 (PDT) From: David Lowe To: security@freefall.freebsd.org Subject: dump, rdump Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk /sbin/dump and /sbin/rdump probably shouldn't be world-executable, as they are in the default config of 2.1.0-STABLE. As far as I know, this isn't a root-gaining problem, but any user can use: /sbin/dump 0f $HOME/whatever /usr (or /var) and parse the files created for interesting info. My biggest concern would be that any user could read any other's incoming or outgoing mail using this technique and a short awk program. So much for the bug description. Now my related questions. From main.c in /usr/src/sbin/dump: (void)setuid(getuid()); /* rmthost() is the only reason to be setuid */ So it would appear that the program has reverted to the real user-id. Why then is it able to read all files on /usr or /var? And yet can't open / to dump it (which would be a more severe problem, allowing access to the passwords)? I'm stumped. Thanks. : : J. David Lowe ::: dlowe@best.com ::: ai334@freenet.carleton.ca : : :: http://www.best.com/~dlowe/ ::::: ftp://ftp.best.com/web1/dlowe/ :: : : : : : : : : : finger for pgp key and geek code : : : : : : : : :