Possible security problem, need information...
Henk Smit
henk at cs.vu.nl
Thu Mar 21 07:42:37 AEST 1991
debra at wsinis03.info.win.tue.nl (Paul de Bra) writes:
>In article <1991Mar18.200957.166 at gacvx2.gac.edu> dan at gacvx2.gac.edu writes:
>>Is there anything inherently evil giving world write access to the "root" (aka
>>"/") directory on a BSD 4.3 UNIX system? The exact permission with the command
>>"ls -ld /" is "drwxrwxrwt".
>Let's see, a user could:
>- remove the kernel (/vmunix or /unix) so you cannot reboot after a crash
>- mv /dev /somethingelse so all devices are unknown (inluding the tty's
> so noone can log on...)
>- mv /etc /somethingelse and then mkdir /etc, create your own /etc/passwd...
This would be possible if the permission on / was "drwxrwxrwx", but it is not !
The "t" (sticky bit) on directories means that you must not only have write
permission on the directory, but also be the owner of the file (or directory)
that you want to (re)move.
The only problem I can see sofar, is if /etc/rc.local contains some lines like
if [ -f /somepackage/bin/daemon ]
then /somepackage/bin/daemon; echo "somepackage started"
fi
If "somepackage" is not installed, JoeUser can make his own
/somepackage/bin/daemon and wait untill the machine reboots.
But most software I have seen lives in "/usr/somepackage", so I guess this
will not be a problem. How strange it seems, I can't see an obvious security
gap in "drwxrwxrwt" on /.
Henk.
--
Henk Smit Vrije Universiteit Amsterdam
Internet: henk at cs.vu.nl Faculteit Informatica kamer S4.10
Phone: +31 20 548 6218
More information about the Comp.unix.admin
mailing list