[8726] in bugtraq
Re: Irix tape devices + logs + su
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@VT.EDU)
Fri Dec 18 22:40:06 1998
Date: Fri, 18 Dec 1998 18:05:58 -0500
Reply-To: Bugtraq List <BUGTRAQ@NETSPACE.ORG>
From: Valdis.Kletnieks@VT.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 17 Dec 1998 09:39:11 +0200."
<Pine.SGI.4.05.9812170902290.27484-100000@aetos.it.teithe.gr>
--==_Exmh_522684854P
Content-Type: text/plain; charset=us-ascii
On Thu, 17 Dec 1998 09:39:11 +0200, you said:
> entry in root's .cshrc)). So it is possible to have those devices with
> mode 644 or even 666, which is bad news, because anyone could use
> xfsrestore to get any file.
Possibly an issue. Remember that they still need physical access to
the tape and the tape drive. xfsrestore isn't set-UID, so a user
can't extract files with a different owner unless they get root first.
I'd worry more about someobdy doing an 'mt rewindoffline' to screw up
a running tape job.
> Also, /var/adm/SYSLOG contains the failed login names (even if they
> don't exist) and by default, this file is forced to be mode 644 (root's
> crontab will take care for this, when rotating the logs).
This can be an issue.
> Finaly, when using su, the user's .cshrc will be executed with
> privileges of the target user (if the su is succesful). For example,
> if user nobody has a cp /bin/sh /tmp; chmod 6755 /tmp/sh in his .cshrc
> and he use su to become root, a rootshell will be available in /tmp :)
> This is valid only for succesfull su's
So? They're root, and they could do that *anyhow*. No exposure here.
Now, if the user can trick the sysadmin into su'ing and running the
user's .cshrc *instead* of the sysadmin's, that's more interesting. ;)
--
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
--==_Exmh_522684854P
Content-Type: application/pgp-signature
-----BEGIN PGP MESSAGE-----
Version: 2.6.2
iQCVAwUBNnrf1dQBOOoptg9JAQET+QP+KtVN9IGlYtpq6OqI3QXXvKfIa2NdHhbY
WUnDWTUibhPlguxv1hIIaMtgxSmy6nKkLEqXdGMC4S2mwZRQLeiuZbuPgySzsjBO
UOjAc4h8Xaod5R8Te9als/MTxMoBRQSJzWclj6658371Cm5HXd2sE33hmmuN982U
i2t1Mx+Ko0g=
=/j5Z
-----END PGP MESSAGE-----
--==_Exmh_522684854P--
