Re: volcheck and sol 8

[mpotter () ATPCO COM (Matthew Potter)]

At 10:20 PM 7/20/00 +0200, you wrote:
> > > > > > "MP" == Matthew Potter <mpotter () ATPCO COM> writes:
>
>    MP> Anyone notice when they insert their goodies CD(the one with
>    MP> the GNU Tools) from Solaris 8 that it auto runs a script
>    MP> called volstart.
>
> Which user is running volstart? root?
Root. Vold runs as root. Although It might switch to another id. I'd have
to poke around.

volstart is a new feature with solaris 8(i've never head of it before 8)...

it executes /usr/dt/bin/dtaction Run $dir_name/script_here

dtaction is suid root sgid sys.

>    MP> So what happens if I make my own CD with a little shell script
>    MP> which calls a prebuilt binary with a setuid and setgid 0 ,
>    MP> then system("/bin/sh")....  or what ever i want.
>
> I am not sure there is a way to set the setUID bit on a CD (are UFS CD
> still supported?), however, you may not need this.

I am not talking about setting a suidbit, which is a good idea. Just a
simple 2 line C program that the system would execute a root shell/xterm
up, etc.. Assuming it runs at root, I am pretty sure it does. But it might
give up privledge upon executing the script/binary...

>    MP> It's silly since i have physical access anyways....
>
> This way, you can send a CD with a trojan horse.
> Funny... This is a classical trick on Windows. "Always disable the
> autorun feature" :)

Yeah i've been disalbing vold for a long tine now, unless it's nessasary.
For most servers you dont need it.