Vulnerability Development mailing list archives
Re: redhat 6.1 mail
From: lcamtuf () DIONE IDS PL (Michal Zalewski)
Date: Fri, 24 Mar 2000 11:03:48 +0100
one day i found that redhat 6.1 takes not only suid bits but also guid. you are owner of your mail file but it still belongs to the group mail
/var/mail/user
Maybe talking about other RH6.1?;> [root@forwarder spool]# ls -ld /var/spool/mail drwxrwxr-x 2 root mail 4096 Mar 24 01:01 /var/spool/mail [root@forwarder spool]# cat /etc/redhat-release Red Hat Linux release 6.1 (Cartman)
chmod 4700 /var/mail/user
Even if so, you have to set setgid bit! you've set only setuid, while you're the owner... AND even if so, I haven't seen /var/spool/mail setuid or setgid anywhere - sometimes it is world writable, but with STICKY (+t) bit set. AND again, even if so, standard Linux semantics won't allow you to set sgid bit for file if you don't belong to specific group. SO: [nobody@forwarder /]$ ls -ld /DUPA drwxrwsrwx 2 root root 4096 Mar 24 10:58 /DUPA [nobody@forwarder /]$ cat /usr/bin/id >/DUPA/id [nobody@forwarder /]$ chmod 2755 /DUPA/id [nobody@forwarder /]$ ls -l /DUPA/id -rwxr-xr-x 1 nobody root 10168 Mar 24 10:59 /DUPA/id [nobody@forwarder /]$ /DUPA/id uid=99(nobody) gid=99(nobody) groups=99(nobody) This mail sucks. _______________________________________________________ Michal Zalewski * [lcamtuf () ags pl] <=> [AGS WAN SYSADM] [dione.ids.pl SYSADM] <-> [http://lcamtuf.na.export.pl] [+48 22 551 45 93] [+48 603 110 160] bash$ :(){ :|:&};: =-----=> God is real, unless declared integer. <=-----=
Current thread:
- redhat 6.1 mail jan bakker (Mar 20)
- Re: redhat 6.1 mail H D Moore (Mar 22)
- Re: redhat 6.1 mail Michal Zalewski (Mar 24)
- Re: redhat 6.1 mail Christopher Rhodes (Mar 24)
- Re: redhat 6.1 mail Luis Pinto (Mar 23)
- Re: redhat 6.1 mail H D Moore (Mar 22)