Getting to root when the password has been lost
Weaver Hickerson
wdh at holos0.uucp
Tue Oct 16 04:57:53 AEST 1990
In article <1990Oct14.132119.27827 at athena.mit.edu> jik at athena.mit.edu (Jonathan I. Kamens) writes:
>In article <1990Oct10.150848.3143 at holos0.uucp>, wdh at holos0.uucp (Weaver Hickerson) writes:
>|> anyway, I did a find and found a file that was setuid,
>|> belonged to root, and was writable by me. I wrote a small 'C' program to
>|> change the permissions on /etc/passwd to rw-rw-rw (temporarily, of course),
>|> linked the program, cat'ted that into the setuid file, and voila.
>
>From the man page write(2) on my BSD 4.3 (well, actually, IBM AOS, but it's
>close enough) system:
>
[ Stuff about how BSD write(2) turns off setuid bit deleted ]
>I consider this to be a very important security feature; the fact that you
>were able to use its absence to break into root, after obtaining only access
>to a generic non-root account, is good evidence of this. Does the NCR Tower
>not have this in its kernel (if so, I would complain to your vendor!!)?
>
Interesting. I've never seen any mention of this in SysV documentation. I
just checked SCO Xenix -- no mention. I did the deed on my Xenix box,
voila SUID file owned by root, rwsrwxrwx, now contains my own program.
(First I had to use root privilege to create the file, of course. None
lying around, by any means :) My account is "generic non-root", since my
UID is not 0.
Is that security feature part of SVID at all, or just BSD?? (It is a good
idea, since it protects some administrators from themselves)
Postscript is a trademark of Adobe Systems...
Weaver
--
-Weaver Hickerson Voice (404) 496-1358 : ..!edu!gatech!holos0!wdh
More information about the Comp.unix.internals
mailing list