Full Disclosure mailing list archives
Re: /bin/rm file access vulnerability
From: Jeffrey Denton <dentonj () gmail com>
Date: Thu, 30 Dec 2004 20:56:15 -0700
Nothing new here. That is one of the problems with DAC systems, the admin has total control over the system. With UNIX/Linux, it's even possible for users to delete files from their home directory even if they are owned by root. Say for example, the admin wants to create a zero length .rhosts file to prevent the user from using that file to open a hole in the system: username@hostname:~$ ls -l .rhosts /usr/bin/ls: .rhosts: No such file or directory username@hostname:~$ su Password: root@hostname:/home/username# id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy) root@hostname:/home/username# touch .rhosts root@hostname:/home/username# ls -l .rhosts -rw-r--r-- 1 root root 0 2004-12-30 20:04 .rhosts root@hostname:/home/username# exit exit username@hostname:~$ id uid=1000(username) gid=1000(username) groups=1000(username),10(wheel),11(floppy),17(audio),18(video),19(cdrom) username@hostname:~$ rm .rhosts /bin/rm: remove write-protected regular empty file `.rhosts'? y username@hostname:~$ ls -l .rhosts /usr/bin/ls: .rhosts: No such file or directory username@hostname:~$ ls -ld /home/username/ drwx--x--x 59 username username 8192 2004-12-30 20:05 /home/username/ This is not new. From the book, "Practical UNIX & Internet Security", 2nd Ed., page 116: "To unlink a file from a directory, you need only have write and execute access to that directory even if you have no access rights to the file itself." Every so often, someone "discovers" this security hole in UNIX/Linux. To prevent the above from happening, use a MAC or a RBAC system such as Trusted Solaris. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: /bin/rm file access vulnerability bkfsec (Dec 31)
- Re: /bin/rm file access vulnerability J.A. Terranson (Jan 06)
- Re: /bin/rm file access vulnerability bkfsec (Jan 06)
- <Possible follow-ups>
- Re: /bin/rm file access vulnerability Sean Harlow (Dec 31)
- Re: /bin/rm file access vulnerability vh (Jan 06)
- Re: /bin/rm file access vulnerability Jeffrey Denton (Dec 31)
- Re: /bin/rm file access vulnerability Frank Knobbe (Jan 02)
- Re: /bin/rm file access vulnerability vh (Jan 06)
- Re: /bin/rm file access vulnerability J.A. Terranson (Jan 06)
- Re: /bin/rm file access vulnerability Jerry (Jan 03)
- Re: /bin/rm file access vulnerability James Longstreet (Jan 01)
- Re: /bin/rm file access vulnerability Valdis . Kletnieks (Jan 04)
- Re: /bin/rm file access vulnerability Alex V. Lukyanenko (Jan 03)