Bugtraq mailing list archives
Re: SunOS syslog() fix, finally...
From: casper () holland Sun COM (Casper Dik)
Date: Fri, 17 Nov 1995 09:26:30 +0100
If you are a BOFH then just kill the setuid bit on ufsrestore. It means that root has to do the restores but it does close an awful lot of holes (like someone dragging in a QIC and restoring their favourite version of /etc/passwd.... need I say more?). Or you could just remove the global rx though this may bugger up remote root users.
The set-uid bit can be safely removed from restore. It is required only if normal users need to be able to restore stuff from remote tape devices (using the rmt protcol which is based on rcmd(3)). It is not true that the set-uid bit on restore is a security risk in that ordinary users can restore files anywhere on the systems or to be owned as another user. Restore resets the uid to the uid of the invoking user before writing files. It was possible in early versions of SunOS (4.0, fixed in 4.1) to restore a set-uid root shell as ordinary user. It was a gaping security hole as you don't need to bring a tape, just a file in dump format with a set-uid root shell would be enough. You can easily create such a file when you know the dump format or on a system you do have root access to. Casper
Current thread:
- Re: Telnet attack on SGI, (continued)
- Re: Telnet attack on SGI Christopher Davis (Nov 03)
- SunOS syslog() fix, finally... Jay 'Whip' Grizzard (Nov 03)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 04)
- Re: SunOS syslog() fix, finally... Scott Barman (Nov 08)
- Re: SunOS syslog() fix, finally... Jake Luck (Nov 09)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 10)
- Re: SunOS syslog() fix, finally... Jake Luck (Nov 10)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 13)
- Re: SunOS syslog() fix, finally... Brett Lymn (Nov 13)
- ufsrestore suid root not a security hole Sean Vickery (Nov 16)
- Re: SunOS syslog() fix, finally... Casper Dik (Nov 17)
- SGI Security Advisory 19951101 - telnetd SGI Security Coordinator (Nov 17)
- SGI Security Advisory 19951101 - telnetd : UPDATE SGI Security Coordinator (Nov 17)
- Re: SunOS syslog() fix, finally... Pug (Nov 10)
- Turning dynamic into static? Lawrence R. Rogers (Nov 09)
- Re: Does the shared lib bug work on any suid program ? Fred Blonder (Nov 03)
- Re: Does the shared lib bug work on any suid program ? John Capo (Nov 03)
- Re: Does the shared lib bug work on any suid program ? Justin Mason (Nov 06)