Getting to root when the password has been lost
Jonathan I. Kamens
jik at athena.mit.edu
Sun Oct 14 23:21:19 AEST 1990
In article <1990Oct10.150848.3143 at holos0.uucp>, wdh at holos0.uucp (Weaver Hickerson) writes:
|> anyway, I did a find and found a file that was setuid,
|> belonged to root, and was writable by me. I wrote a small 'C' program to
|> change the permissions on /etc/passwd to rw-rw-rw (temporarily, of course),
|> linked the program, cat'ted that into the setuid file, and voila.
>From the man page write(2) on my BSD 4.3 (well, actually, IBM AOS, but it's
close enough) system:
If the real user is not the super-user, then write clears
the set-user-id bit on a file. This prevents penetration of
system security by a user who captures a writable set-user-
id file owned by the super-user.
I consider this to be a very important security feature; the fact that you
were able to use its absence to break into root, after obtaining only access
to a generic non-root account, is good evidence of this. Does the NCR Tower
not have this in its kernel (if so, I would complain to your vendor!!)?
--
Jonathan Kamens USnail:
MIT Project Athena 11 Ashford Terrace
jik at Athena.MIT.EDU Allston, MA 02134
Office: 617-253-8495 Home: 617-782-0710
More information about the Comp.unix.internals
mailing list