Findsuid source (Re: Security an
emks at uokvax.UUCP
emks at uokvax.UUCP
Fri Feb 8 19:08:00 AEST 1985
/***** uokvax:net.unix-wizar / enmasse!mike / 8:04 pm Feb 1, 1985 */
> Another problem with having a find-suid-programs program that runs based
> on crontab entries is that anyone can see when the find-suid-programs
> program is going to run next, and make their moves on that basis.
>
> kurt
But what are they going to do about it. I suppose that if they knew the
order in which file systems were traversed they might be able to move
their program to a safe area and back again when all clear but this seems
a little drastic. Easier to just modify an existing suid-root program
(like su) to grant a specific user or password root access.
CACM had an interesting article on this stuff a while back...
It amounted to this, once root has been comprimised just once,
the whole system is suspect unless everything is rebuilt from scratch,
from the distribution tape.
/* ---------- */
Your last paragraph is correct. From a more practical standpoint, though,
were I to find some loophole (like using sendmail to create suid-root
files containing binaries, etc.), I'd prefer to know at what time the
regular search for suid programs took place. If I *knew* that the
find started at 4 a.m., I'd remove all traces before then.
That's all a hypothetical "what-if" thing, though. You're far more correct
to say that once a system's been broken, it remains that way (from a
potential security violation standpoint) until a trustworthy person brings
in certified "clean" code.
kurt
More information about the Comp.unix.wizards
mailing list