Bugtraq mailing list archives
Re: bin ownership problem
From: casper () fwi uva nl (Casper Dik)
Date: Thu, 19 May 94 09:59:28 +0200
Ok, I'll expose my ignorance and ask, what is the specific vulnerability of bin owned files? I understand how it is a problem on NFS exported files to insecure hosts, but what is the risk for files/dirs on a locally non-exported file system? What about groups, is bin a bad group also?
Apart from the problem with NFS exports, there might be a second problem: an easy way to become root from being that other user. Root should own all files it executaes and all directories they are contained in or an easy transition from user (e.g. bin) to root is possible. There have been a number of bugs/configuration errors that make it possible for a cracker to become any user but root. On systems with certain files (e.g., /bin/sh) /directories (e.g., /etc) owned by bin, an easy path to root is provided. Group ownership is an other matter entirely, as long as the files/dirs don't have group write permission. Unfortunately, some systems ship like that. E.g., Solaris 2.x ships with mode 775 /etc and far to man other files as well. A script to fix many of Solaris' faulty modes while still maintaining the ability to install patches can be found in ftp.fwi.uva.nl:/pub/solaris/auto-install/*. Casper
Current thread:
- Re: permissions Bruce Barnett (May 17)
- Re: permissions Casper Dik (May 17)
- Re: permissions Howard the Energizer (May 17)
- Re: permissions Perry E. Metzger (May 17)
- Re: permissions Howard the Energizer (May 17)
- Re: permissions Bruce Gingery (May 17)
- Re: permissions Perry E. Metzger (May 17)
- Re: permissions Daniel Azuelos (May 17)
- Re: permissions rik.harris () vifp monash edu au (May 18)
- bin ownership problem Brian Parent (May 18)
- Re: bin ownership problem jmc () gnu ai mit edu (May 18)
- Re: bin ownership problem Casper Dik (May 19)
- Re: bin ownership problem Perry E. Metzger (May 19)
- Re: bin ownership problem Bruce Gingery (May 19)
- <Possible follow-ups>
- Re: permissions Evil Pete (May 17)
- Re: Re: permissions Pete Hartman (May 17)
- Re: permissions Brad Powell - Sun CIS (May 18)